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90 = 100: A Proof 


Construct a four-sided figure ABED as follows: 


e |Z ABE] = 90° 
e | ZDEB| = 100° 
e |AB] = |ED| 


Using that as a starting point, we now tinker a bit to show that 90=100: 


e Draw the perpendicular bisectors to BE and AD; call the point where 
they meet “C”. 


Note: Actually, we must prove that those two perpendicular bisectors 
really do meet at all (i.e., that the point C even exists). In this case, it turns 
out to be pretty clear — it's not hard to argue that lines AD and BE aren't 
parallel, and therefore their perpendicular bisectors aren't parallel, and so 
they must intersect (in Euclidean geometry). Still, be alert for people 
making glib assertions in proofs. 


A construction to help prove that 90=100 


Looking at this figure, some warning flags should be going up: How do we 
know C lies below BD? Might it lie above BD? Or exactly on BD? It turns 
out that the argument below is the same in all of these cases, though you'll 
certainly want to verify this to yourself later. 
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|AB] = |ED| 


[BC] = |EC| 


ZLCBE= ZBEC 


|.CBE| = 
ZLBEC| 


JAC] = |DC| 


AABC=ADEC 
(1!) 


(From here, it's 
just routine steps 
to conclude 
90=100:) 


ZABC=ZDEC 


|Z ABC| = | 
ZDEC 


|Z ABC| = | 
ZABE| + | 
LCBE| 


|ZDEC| = | 
ZDEB] + | 
ZLBEC| 


By construction. 


C is on the perpendicular bisector of 
BE (thus ABEC is isosceles). 


Base angles of isosceles triangle BEC 
are congruent. 


Congruent angles have equal 
measures; line 3. 


C is on the perpendicular bisector of 
AD (thus AADC is isosceles). 


Triangles with three congruent sides 


are congruent (Euclid's Side-Side-Side 
congruence theorem); lines 1,2,5. 


Corresponding parts of congruent 
triangles are congruent; line 6. 


Congruent angles have equal 


measures; line 8. 


By construction. 


By construction. 
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|ZDEC| = | 
ZDEB] + | 
LCBE| 


|Z ABC| = | 
ZDEB] + | 
ZLCBE| 


| ZABE| + | 
LCBE| = | 
ZDEB] + | 
LCBE| 


|Z ABE| = | 
ZLDEB| 


90 = |Z DEB| 


90 = 100 


A useful corollary: 0=1. 


Substituting equals with equals; lines 
11 and 4. 


Substituting equals with equals; lines 
12 and 9. 


Substituting equals with equals; lines 
13 and 10. 


Subtracting equals from equals 
remains equal. 


By construction, and substituting 
equals with equals; line 15. 


By construction, and substituting 
equals with equals; line 16. 


Previous theorem. 


Subtracting equals (90) from equals remains 
equal. 


Dividing equals by non-zero equals (10) remains 


equal. 


Exercise: 


Problem: 


If you feel this result is incorrect, then the challenge for you is to find 
the first line which is false. 


Solution: 


The flaw is extremely hard to find. We won't actually give the solution, 
but here's a hint on how to go about attacking the puzzle: 


Note that finding the bug in the proof is the same skill as debugging a 
program. A good approach is to try various degenerate inputs. In this 
case, there are a couple of “inputs” to the construction—the length of 
CD is arbitrary; no matter how long or short the proof should apply 
equally well. Similarly, the angle 100° seems arbitrary; fiddling with 
inputs like these (making them very small or very large) might give 
you some clues as to where the bug is. A very careful drawing will 
clear things up. 


You may have noticed that the proof given here has some very minuscule 
steps—e.g. “Congruent angles have equal measure.” Usually such simple 
steps can be omitted, since they are obvious to any reader. We include them 
for a few reasons: 


e Asa careful thinker, you should recognize that such small steps really 
are part of the complete reasoning, even if they're not worth 
mentioning continually. 

e If a computer is checking a proof, it needs to actually include those 
steps. 

e Programmers do need to be concerned with distinctions about 
(abstract) types—the difference between angles and their measures, in 
this case. 


e Sometimes a line's justification is glibly given as “by construction”, 
when that may not even be correct ! - ). 


In this course, we'll spend a few weeks working with proofs which do 
include all the small, pedantic steps, to instill a mental framework for what 
a rigorous proof is. But after that, you can relax your proofs to leave out 
such low-level steps, once you appreciate that they are being omitted. 


Introduction: logic motivation 


The ancient Greeks loved to hang around on the stoa, sip some wine, and 
debate. But at the end of the day, they wanted to sit back and decide who 
had won the argument. When Socrates claims that one statement follows 
from another, is it actually so? Shouldn't there be some set of rules to 
officially determine when an argument is correct? Thus began the formal 
study of logic. 


Note: The three fundamental studies were the Trivium — grammar 
(words), logic (reasoning), and rhetoric (effective communication). These 
allowed study of the Quadrivium — arithmetic (patterns in number), 
geometry (patterns in space), music (patterns in tone), and astronomy 
(patterns in time). All together, these subjects comprise the seven liberal 
arts. 


These issues are of course still with us today. And while it might be difficult 
to codify real-world arguments about (say) gun-control laws, programs can 
be fully formalized, and correctness can be specified. We'll look at three 
examples where formal proofs are applicable: 


e playing a simple game, WaterWorld; 
e checking a program for type errors; 
e circuit verification. 


Many other areas of computer science routinely involve proofs, although 
we won't explore them here. Manufacturing robots first prove that they can 
twist and move to where they need to go before doing so, in order to avoid 
crashing into what they're building. When programming a collection of 
client and server computers, we usually want to prove that the manner in 
which they communicate guarantees that no clients are always ignored. 
Optimizing compilers prove that, within your program, some faster piece of 
code behaves the same as and can replace what you wrote. With software 


systems controlling more and more life-critical applications, it's important 
to be able to prove that a program always does what it claims. 


WaterWorld 


Consider a game called WaterWorld, where each location is either empty 
sea or contains a pirate. When you enter a location, you must correctly 
anticipate whether or not it contains pirates. 


e If you correctly anticipate open sea, you are able to enter and 
determine how many of the (up to 3) adjacent locations contain a 
pirate. 

e If you correctly anticipate a pirate, the location is tagged as dangerous, 
and you gather no further information. 


Furthermore, there are really two types of moves: guesses, and assertions. If 
you make an assertion, then even if you happen to be correct but it is 
possible you could have been wrong, then it is an error. Also, it is an error if 
you make a guess about a location if it is actually possible to assert a 
location's contents. The interesting fact about these types of games is that 
while sometimes guesses are necessary (when?), surprisingly often an 
assertion can be made. 


(You can freely download WaterWorld. ) 


&, 


Glimpses of two different 
WaterWorld boards 


For instance, in the first board, what assertions can we be sure of? What, 
exactly, is your reasoning? How about in the second board? You can 
certainly envision wanting a computer player that can deduce certain 
moves, an make those for you automatically. 


Type Checking 


When writing a program, we'd like to simply look at the program and 
determine whether it has any bugs, without having to run it. We'll see in the 
future, however, that such a general problem cannot be solved. Instead, we 
focus on finding more limited kinds of errors. Type checking determines 
whether all functions are called with the correct type of inputs. E.g., the 
function + should be called with numbers, not Booleans, and a function 
which a programmer has declared to return an integer really should always 
return an integer. Consider the following program: 


// average: 
// Simply divide sum by N, but guard against 
dividing by 0. 
// 
real-or-false average( real sum, natNum N ) { 
if (N != 0) 
return sum / N; 
else 
return false; 
} 


One reason programmers are required to declare the intended type of each 
variable is so that the computer (the compiler) can prove that certain errors 
won't occur. How can you or the compiler prove, in the above, that 


average returns a real number or false, but never returns (say) a string, 
and doesn't raise an exception? Deductions are made based on premises 
about the types that are passed in, along with axioms about the input and 
return types of the built-in functions if, !=, and /, as well as which 
exceptions those built-ins might raise. 


Consider this variant: 


// augment-average: 
// Given an old sum and N, compute the average if 
one more 
// datum were included. 
// 
real augment_average( real old_sum, natNum old_N, 
real new_datum ) { 

return average( old_sum + new_datum, old_N + 1 
); 
} 


Most compilers will reject augment -average, claiming that it may 
actually return false. However, we're able prove that it really will only 
return a real, by using some knowledge about natural numbers and adding 
1, plus some knowledge of what average returns. (Note that our 
reasoning uses aspects of average's interface which aren't explicitly 
stated; most type systems aren't expressive enough to allow more detailed 
type contracts, for reasons we'll allude to later.) So we see that many 
compilers have overly conservative type-checkers, rejecting code which is 
perfectly safe, because they are reasoning with only a narrow set of type- 
rules. 


This example alludes to another use of logic: Not only is it the foundation 
of writing proofs (ones that can be created or checked by computers), but 
logic can also be used as an unambiguous specification language. 
Observe that while a function's implementation is always specified formally 
and unambiguously — in a programming language — the interface is 
specified entirely English, aside from a few type declarations. Many bugs 


stem from ambiguities in the English, that different humans interpret 
differently (or, don't think about). Being able to use logic to specify an 
interface (and cannot be modified even if the somebody later tunes the 
implementation) is an important skill for programmers, even when those 
logic formulas aren't used in proofs. 


Circuit Verification 


Given a circuit's blueprints, will it work as advertised? In 1994, Intel had to 
recall five million of its Pentium processors, due to a bug in the arithmetic 
circuitry: This cost Intel nearly half a billion dollars, lots of bad publicity, 
and it happened after intensive testing. Might it have been possible to have 
a program try to prove the chip's correctness or uncover an error, before 
casting it in silicon? 


Software and hardware companies are increasingly turning to the use of 
automated proofs, rather than semi-haphazard testing, to verify (parts of) 
large products correct. However, it is a formidable task, and how to do this 
is also an active area of research. 


There are of course many more examples; one topical popular concern is 
verifying certain security properties of electronic voting machines (often 
provided by vendors who keep their source software a proprietary secret). 


Having proofs of correctness is not just comforting; it allows us to save 
effort (less time testing, and also able to make better optimizations), and 
prevent recall of faulty products. But: who decides a proof is correct — the 
employee with best SAT scores?!? Is there some trusted way to verify 
proofs, besides careful inspection by a skilled, yet still error-prone, 
professional? 


"Many highly intelligent people are poor thinkers. Many people of average 
intelligence are skilled thinkers. The power of the car is separate from the 
way the car is driven." Edward De Bono, consultant, writer, and speaker 
(1933- ) 


Introduction: logic definition 


What are proofs? (informal) 


Example: 

The following submission from an anonymous engineer to the January, 
1902 edition of Popular Mechanics caught my eye. Seems like something 
every Boy/Girl Scout and Architect should know. 

“HOW TO USE THE WATCH AS A COMPASS: Very few people are 
aware of the fact that in a watch they are always provided with a compass, 
with which, when the sun is shining, the cardinal points can be determined. 
All one has to do is to point the hour hand to the sun and south is exactly 
half way between the hour and the figure 12 on the watch. This may seem 
strange to the average reader, but it is easily explained. While the sun is 
passing over 180 degrees (east to west) the hour hand of the watch passes 
over 360 degrees (from 6 o'clock to 6 o'clock). Therefore the angular 
movement of the sun in one hour corresponds to the angular movement of 
the hour hand in half an hour; hence, if we point the hour hand toward the 
sun the line from the point midway between the hour hand and 12 o'clock 
to the pivot of the hands will point to the south. — Engineer.” 


They give an argument of correctness; is that really a proof? Well, there are 
some ambiguities: Do I hold the watch vertically, or, in the plane of the 
sun's arc? Certainly I can't hold it up-side down, even though this isn't 
explicitly stated. Furthermore, the correctness of the reasoning relies on 
some unstated assumptions. E.g., the sun is at its highest (northernmost) 
point of its transit at noon. Is this actually true? Does it depend on the time 
of year? I'm not exactly sure (and will have to sit down and scratch my head 
and draw pictures of orbits, to convince myself). Certainly there are at least 
a couple of caveats: even beyond account for Daylight Savings Time, the 
solar-time and clock-time only align at time-zone boundaries, and they drift 
up to an hour apart, before the next boundary rectifies the difference. Is this 
presuming I'm in the northern hemisphere? What if I'm on the equator? 


To be fair, the intent of this anecdote was to give enough evidence to 
convince you, not necessarily to be a complete, stand-alone self-contained 
proof. But in writing out a careful proof, one is forced to consider all the 
points just made; being forced to understand these can lead you to better 
understand the procedure yourself. But be careful to distinguish between 
something which sounds reasonable, and something that you're certain of. 


An argument by form 


How can we tell true proofs from false ones? What, exactly, are the rules of 
a proof? These are the questions which will occupy us. 


Proofs are argument by form. We'll illustrate this with three parallel 
examples of a particular proof form called syllogism. 


Example: 
1 All people are mortal. Premise 
2 Socrates is a person. Premise 
3 Therefore, Socrates is mortal. Syllogism, lines 1,2 


Example: 


All [substitution ciphers] are [vulnerable to 


l brute-force attacks]. BU 

9 The [Julius Caesar cipher] is a [substitution ae 
cipher]. 

3 Therefore, the [Julius Caesar cipher] is Syllogism, 
[vulnerable to brute-force attacks]. lines 1,2 


Note that you don't need to know anything about cryptography to know 
that the conclusion follows from the two premises. (Are the premises 
indeed true? That's a different question.) 


Example: 
1 All griznoxes chorble happily. Premise 
2 A floober is a type of griznox. Premise 
3 Therefore, floobers chorble happily. Syllogism, lines 1,2 


You don't need to be a world-class floober expert to evaluate this argument, 
either. 


Note: Lewis Carroll, a logician, has developed many whimsical examples 
of syllogisms and simple reasoning. (Relatedly, note how the social context 
of Carroll's examples demonstrates some feminist issues in teaching logic.) 


As you've noticed, the form of the argument is the same in all these. If you 
are assured that the first two premises are true, then, without any true 
understanding, you (or a computer) can automatically come up with the 
conclusion. A syllogism is one example of a inference rule — that is, a rule 
form that a computer can use to deduce new facts from known ones. 


Some non-proofs 


Of course, not all arguments are valid proofs. Identifying invalid proofs is 
just as interesting as identifying valid ones. 


Note: Homer: Ah, not a bear in sight. The Bear 
Patrol must be working. Lisa: That's specious 
reasoning, Dad. Homer: Thank you, honey. Lisa: By 
your logic, this rock keeps tigers away. Homer: 
Oh? How does it work? Lisa: It doesn't work. 
Homer: Uh-huh. Lisa: It's just a stupid rock. 
Homer: Uh-huh. Lisa: But I don't see any tigers 
around here, do you? [pause] Homer: Lisa, I want 
to buy your rock! [A moment's hesitation .. and 
money changes hands.] (From The Simpsons Much Apu About 
Nothing.) 


If Lisa isn't around, who will identify specious reasoning for us? We can 
certainly use her approach of finding other particular examples that follow 
the same argument, yet lead to a clearly erroneous conclusion. 


Example: 
Suppose that my friend makes the following argument: 


1 Warm cola tastes bad. Premise 


2 Warm salt-water tastes bad. Premise 
3 Therefore, mixing them “Common-sense 
together tastes bad. conclusion”, lines 1,2 


I'm skeptical, so I have a sip; sure enough, the conclusion is indeed true. 
But is the proof correct — does the “common-sense conclusion” rule 
actually hold? In order to refute the form of the argument, we can try 
similar arguments which have the same form but a false conclusion (as 
Lisa did). 


1 Ice-cold coke tastes good. Premise 
2 Ice coffee tastes good. Premise 
3 Therefore, mixing them “Common-sense 
together tastes good. conclusion”, lines 1 and 2. 


After another unfortunate sip, I verify that this conclusion is not true, and 
therefore my friend's reasoning is at fault. 

My friend responds by claiming that the “common-sense conclusion” is too 
valid; the rule is that bad-taste is preserved upon mixing, not that any taste 
is preserved. While I'm inclined to believe that, we realize we can still test 
this more refined rule: can you come up with an instance of mixing 
together bad-tasting things and ever getting a yummy result? (Say, salt and 
flour, which can be mixed and baked to get delicious saltines! The 
argument continues, about whether the form of the argument precludes 
baking, and so on.) 


The end result (after I take some antacid) is that we have a clearer 
understanding of the initially vague “common-sense conclusion”, and 
stricter rules about when it applies. Thus, refining the argument has led us 
to a greater understanding. 


The above examples are a bit frivolous, but the procedure of looking for 
counterexamples applies to many real-world dilemmas. It also highlights 
the difference between a correct proof, and a faulty proof that might still 
happen to lead to a true result. (By the way, this is the exact same skill used 
when trying to come up with an algorithm for a problem: “well, the 
algorithm works for this input, but can I find a something that makes one of 
the steps fail?” If so, you then try refining your algorithm “well, I can add a 
test to take care of that problem; is that enough so that it always works?”) 
Exercise: 


Problem: 


Solve this statement for [X]: "It is wrong to ban [X]. Such a ban would 
punish those reasonable citizens who would use [X] responsibly, while 
those who really want to abuse [X] will be able to get it anyway, 
through a black market which will only subsidize other criminal 
activities." 


Solution: 
This argument is or has been commonly used for varying topics — 


e marijuana, 

e alcohol, 

e all drugs, 

e handguns, 

e birth control, 

e prostitution, 

e encryption technology. 


The interesting part, is that the traditional Left and Right political 
positions each use this argument for some of these items, while 
rejecting the argument when used for other items. 


A more rational response is to either accept all the above, or none of 
the above, or to realize that the stated argument wasn't everything — 
that there might be implicit assumptions or arguments which actually 
do distinguish between these cases (the different interpretations of 
“[X]’”). Being able to articulate the differences is essential. The more 
refined arguments may be more nuanced, and less able to fit into a 
sound-bite, but lead to a better understanding of one's own values. And 
sometimes, upon reflection, one may realize that some of the implicit 
values or premises are things they actually disagree with, once they are 
precisely spelled out. 


In real-world issues, there are often many subtleties, and short arguments 
that sound airtight might be glossing over factors which are important in 
practice. 


Example: 

"During daylight, there is no need to have headlights (or running lights) on: 
there's already plenty of light for everybody to see each other by." Even 
during the day, headlights slightly increase how quickly other drivers see 
you during (say) a routine, tenth-of-a-second glance in their mirror. 


Example: 

"When in a turn-only lane, there is absolutely no need to signal — since 
there's only one way to turn, a signal can't communicating any information 
to other drivers!" Glib, but not true: Other defensive drivers presumably 
know you have only one legal option, but they don't know that you know 
that, and they are planning reactions in case you surprise them with a 
sudden illegal maneuver. By signaling, you give them information which 
helps them better plan for yet other contingencies. Furthermore, it also 


gives you more confidence that other drivers are expecting your turn, 
reducing your suspicion that they're about to pull a surprise maneuver on 
you. (True, these are all low-probability events which almost always turn 
out to be unnecessary. But avoiding accidents is all about minimizing risks 
for the one moment events do spiral out of control.) 


Example: 

“You'll lose weight if and only if you burn more calories than you take in. 
All those diet-plan books can never get around this, and all their details are 
pointless.” 

True, calorie intake and expenditure solely determine weight loss/gain. But 
after some thought, we can get examples where the above logic overlooks 
some relevant differences: If your friend told you they were switching from 
a diet of 2000 calories of balanced short-term and long-term energy 
sources (sugars, proteins, and carbs) to a diet of 2000 calories worth of 
Pixy Stix at breakfast plus a Flintstones multivitamin, would you be 
optimistic that they would have the willpower to strictly follow the new 
plan? The two plans are equal when counting calories, but in actuality one 
really is a better plan. (Even more exaggeratedly, consider a daily plan of 
2000 calories of sugar while never drinking any water—since water has no 
calories, it can't affect your calorie count, according to the above claim.) 
These contrived counterexamples help illustrate that it's conceivable that 
there can be a difference between diet plans, so the initial claim isn't 
technically true. 


The point illustrated is that often real-world arguments incorrectly imply 
that their result follows from the form of the argument, when in fact the 
form is not valid in the way a syllogism is. This fallacy can be illuminated 
by finding a different domain in which the argument fails. The practice of 
searching for domains which invalidate the argument can help both sides of 
a debate hone in on bringing the unspoken assumptions to light. The 
original argument, if its conclusion is indeed true, must be patched either by 
adding the unspoken assumptions or fixing the invalid form. 


Exercise: 


Problem: 


Mistakes in syllogisms are hard to make: what are the only two ways 
to have an error in a syllogism? 


Solution: 


1. The argument isn't actually in syllogism form. For example, the 
following is an incorrect syllogism: 


All people Premise (Equivalent to “Nobody 


don't knows my file's password”, but 
1 know my reworded to be of the required form 
file's “All somethings have some 
password. property.” .) 
All 
2 naL kers Premise 
are 
people. 
Therefore, 
my file is 
3 secure Incorrect syllogism, lines 1,2 
from 
hackers. 


To be a syllogism, the conclusion would have to be “all hackers 
don't know my file's password.” The file might or might not be 
secure, but the above doesn't prove it. 

2. One of the two premises is wrong. 


All people don't know my file's Premise, but 
password. possibly false 


2 All hackers are people. Premise, but 


possibly false 
3 Therefore, all hackers don't Syllogism, 
know my file's password. lines 1,2 


This proof fails, of course, if some hackers are non-people (e.g., 
programs), or if some people know the password. (In fact, 
presumably you know the password!) 


Of course, even if a proof fails, the conclusion might be true for other 


reasons. An incorrect argument doesn't prove the conclusion's 
opposite! 


Other Inference Rules 
Of course, there are more ways to deduce things, beyond a syllogism. 


e Who decides what the valid inference rules are? 
e Is it always clear when people have used the inference rules correctly? 
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Glimpses of two different 
WaterWorld boards 


Consider the following argument about WaterWorld boards: 


Premise, from 
1 (A) is next to exactly onepirate. eae 
either subfigure 
2 (A) has only one unexplored neighbor. eon 
y P 8aDor. either subfigure 
If you are an unexpected location next to Incorrect 
(A), then you contain apirate. conclusion 


This conclusion is not valid; while it is correct for the first board shown, it 
is incorrect for the second. (I make this mistake all the time when playing 
WaterWorld too quickly, arrggh! — The Author.) 


The problem is that the author of the argument presumably meant to 
conclude “all explored neighbors of (A) contain a pirate”. 


Before we can study exact proofs, we need a way of writing exactly 
what we mean. This will occupy us for the next section. 


The need for a precise language 


These previous glitches in the WaterWorld arguments both arise, of course, 
because we were sloppy about what each sentence meant exactly. We used 
informal English — a fine language for humans, who can cope with 


remarkable amounts of ambiguity -- but not a good language for specifying 
arguments. 


Note: Laws and contracts are really written in a separate language from 
English — legalese — full of technical terms with specific meanings. This 
is done because, while some ambiguity is tolerable in 99% of human 
interaction, the remaining 1% can be very problematic. Even so, legalese 
still contains intentionally ambiguous terms: When, exactly, is a 
punishment “cruel and unusual”? What exactly is the “community 
standard” of indecency? The legal system tries to simultaneously be formal 
about laws, yet also be flexible to allow for unforeseen situations and 
situation-specific latitude. (The result of this tension is the position of 
Judge.) 


Note: Court decisions, while dense reading, are often the model of well- 
presented arguments. 


Consider, from a previous example, the statement “...[this is something] 
every Boy/Girl Scout and Architect should know”. Does this mean all 
people who are both a scout and architect, or everybody who is at least one 
or the other? Genuinely ambiguous, in English! (Often, “and/or” is used to 
mean “one or the other or possibly both”.) 


We'll next look at a way to specify some concepts non-ambiguously, at least 
for WaterWorld. We need to be more careful about how we state our facts 
and how we use these known facts to deduce other facts. Remember, faulty 
reasoning might not just mean losing a silly game. Hardware and software 
bugs can lead to significant bodily harm (Imagine software bugs in an 
airplane autopilot or surgical robot system), security loopholes (e.g., in 
Mozilla or JE), or expensive recalls. 


One reaction to the above arguments is “Well, big deal — somebody made 
a mistake (mis-interpreting or mis-stating a claim); that's their problem. 
(And sheesh, they sure are dolts!)” But as a programmer, that's not true: 
Writing large systems, human programmers will err, no matter how smart or 
careful or skilled they are. Type-checkers catch some errors upon 
compilation, and test suites catch their share of bugs, but many still remain 
in real-world software. Thus we are looking for systemic ways to reduce 
and catch errors, with the ultimate ideal of being able to prove programs 
correct. 


Note: Other professions have checklists, protocols, and regulations to 
minimize human error; programming is no different, except that the 
industry is still working on exactly what the checklists or training should 
be. Someday, a license will be required for practicing software, at least for 
software involved with life-safety. 


In our study of formal logic, we'll need three things: 


e Syntax (language) — a precise syntax and vocabulary for expressing 
concepts without ambiguity, 


o Propositional logic, 
o First-order logic (propositional logic, plus relations and 
quantifiers) 


e Semantics (meaning) and modeling — how to connect these formal 
languages to whatever topic we want to reason about (including our 
software). 

e Reasoning (proofs) — methods of deducing new facts from old. We'll 
see three types of reasoning, and how to use them for each of our two 
logics: 


o Truth tables 
o Boolean Algebra 


o Inference Rules 


We'll visit these topics in an interleaved manner — first propositional logic 
(immediately with its semantics) and three methods of reasoning for it; then 
first-order logic and an in-depth look at its interpretations, and finally the 
methods of reasoning for first-order logic. 


We'll begin with a particular syntax — propositional logic for the game of 
WaterWorld — before using this syntax to formally deduce safe moves. 


propositions 
(Blank Abstract) 


Recall examples of where we'd like proofs: 


e WaterWorld (Is a certain location guaranteed safe?) 
e type checking (Does a program call functions in the proper way?) 
e circuit verification (Does a circuit always work as advertised?) 


After seeing the reasons why proofs are important, we ended with a call for 
first needing a precise language for writing down statements without the 
ambiguity of English. 


Note: Might a programming language be a good way to specify formal 
concepts without ambiguity? Programming languages are usually 
motivated by specifying how to do something (implementation), rather 
than formally specifying what is being done (interface). While there is a 
deep relation between these two, logic is more appropriate for specifying 
the “what”. 


A formal vocabulary 


Imagine an offer where, for a mere $6.99, you can get: "EE, (FF or CF or 
OB or HB) or CC and PH and BR and GR or WB and PJ. Some fine 
print clarifies for us that BR includes T (Whi, Whe, Ra, or Hb), FT, HM 
(Bb, Ba, or Ca), EM, B with CrCh, BB (GR from 6-11am)." 
Unfortunately, it's not clear at all how the “and” and “or”s relate. 
Fundamentally, is “a and y or z” meant to be interpreted as “(a and y) or z 
”, or as “a and (y or z)”? With some context, we might be able to divine 
what the author intended: the above offer is the direct translation from the 
menu of a local diner: "2 eggs, potatoes (french fries, cottage fries, O'Brien 
or hashed brown) or cottage cheese and peach half (grits before 11am) and 
choice of bread with gravy or whipped butter and premium jam. Bread 
choices include toast (white, wheat ,raisin or herb), hot flour tortillas, 


homemade muffin (blueberry, banana or carrot), English muffin, bagel with 
cream cheese, homemade buttermilk biscuits. Grits available from 6:00am 
to 11:00am." (In a brazen display of understatement, this meal was called 
“Eggs Alone”.) Even given context, this offer still isn't necessarily clear to 
everybody: can I get both french fries and a peach half? Happily, coffee is 
available before having to decipher the menu. In this example, parentheses 
would have clarified how we should interpret “and”, “or”. But before we 
discuss how to connect statements, we will consider the statements 
themselves. 


proposition 
A statement which can be either true or false. 


Example: 
“Your meal will include hashbrowns.” 


propositional variable 
A variable that can either be true or false, representing whether a 
certain proposition is true or not. 


Example: 
HB 


We will often refer to “propositional variables” as just plain ol’ 
“propositions”, since our purpose in studying logic is to abstract away from 
individual statements and encapsulate them in a single variable, thereon 
only studying how to work with the variable. 


For a proposition or propositional variable X, rather than write “X is true”, 
it is More succinct to simply write “X”. Likewise, “X is false” is indicated 


as “— X” 


Note: Compare this with Boolean variables in a programming language. 
Rather than (x == true) or (x == false), it's idiomatic to instead 
write X or ! xX. 


Observe that not all English sentences are propositions, since they aren't 
true/false issues. Which of the following do you think might qualify as 
propositions? If not, how might you phrase similar statements that are 
propositions? 


“Crocodiles are smaller than Alligators.” 

e “What time is it?” 

e “Pass the salt, please.” 

e “Hopefully, the Rice Owls will win tomorrow's game.” 
e “Mr. Burns is filthy rich.” 

e “Fresca® is the bee's knees.” 


A particular vocabulary for WaterWorld 


When playing WaterWorld, what particular propositions are involved? To 
consider this, we think of a generic board, and wonder what the underlying 
statements are. They are statements like “location A contains a pirate” (“ 
A-unsafe”), “location G has 2 adjacent pirates” (“G-has-2”) and so on. 
Each of these statements may be true or false, depending on the particular 
board in question. 


Here are all the WaterWorld propositions that we'll use. 


Remember that B-unsafe doesn't mean “I'm not sure whether or not B is 
safe”; rather it means “B is unsafe” — it contains a pirate. You may not be 


sure whether (the truth of) this proposition follows what you see, but in any 
given board the variable has one of two values, true or false. 


Every WaterWorld board has the same set of propositions to describe it: 
A-unsafe, B-has-2, etc. However, different boards will have different 
underlying values of those propositions. 


Connectives 


Some statements in the above proof were simple, e.g., the single proposition 
“A-has-2”. Some statements had several parts, though, e.g., “(F-unsafe 
and G-unsafe)”. We build these more complicated statements out of 
propositions. If you know both F-unsafe is false, and G-unsafe is false, 
what can you deduce about the truth of the statement “(F-unsafe and 
G-unsafe)”? Clearly, it is also false. What about when F-unsafe is false, 
but G-unsafe is true? What about when both propositions are true? In fact, 
we can fill in the following table: 


a b (a ^b) 
false false false 
false true false 
true false false 
true true true 


Truth table for A (AND) 


truth table 


A truth table for an expression has a column for each of its 
propositional variables. It has a row for each different true/false 
combination of its propositional variables. It has one more column for 
the expression itself, showing the truth of the entire expression for that 


TOW. 


Exercise: 


Problem: 


What do you think the truth table for “a or b” looks like? Hint: To fill 
out one row of the table, say, for a = true and b = false, ask yourself 
“For this row, is it true that (a is true, or b is true)?” 


Solution: 


a 
false 
false 
true 
true 


Truth table for V (OR) 


Exercise: 


(a Vb) 
false 
true 
true 


true 


Problem: 


33 


The above proof also used subexpressions of the form “not b-unsafe”. 
What is the truth table for “not a”? 


Solution: 
a ~a 
false true 
true false 


Truth table for ~ (NOT) 
Exercise: 


Problem: What is the truth table for the expression “(not a) or b”? 


Solution: 
a b (a = b) 
false false true 


false true true 


a b (a = b) 
true false false 
true true true 


Truth table for = (IMPLIES) 


connective 
The syntactic operator combining one or more logical expressions into 
a larger expression. 
A function with one or more Boolean inputs and a Boolean result. I.e., 
the meaning of a syntactic operator. 


Example: 
Two operators are /\ and V. 


Example: 
The meaning of / and V, e.g., as described by their truth tables. 


Example: 
nand (mnemonic: “not and”), written +, takes in two Boolean values a and 


b, and returns true exactly when a ^ bis not true — that is, 
atb=-7(a ^ b). 


The following are the connectives we will use most often. At least some of 
these should already be familiar from Boolean conditional expressions. 


Connective 


Connectives 


Pronunciation 


not 


and 


Or 


implies 


Meaning 


sa: ais 
false 


a ^ ba 
and b are 
both true 


a V b:at 
least one 
of {a,b} 


is true 


a => b: 
equivalent 
to 

aa V b 


Alternative 
pronunciations 
/ notations 


-a; la 


a*b; ab; a&&b; 
a&b 


a+b; al|b; a|b 


ab; aDb; if a 
then b; a only if 
b; b if a; bis 
necessary for a; 
a is sufficient 
for b 


Many other connectives can also be defined. In fact, it turns out that any 
connective for propositional logic can be defined in terms of those above. 


Example: 


Another connective is if-and-only-if or iff, written as a <= b, which is true 
when a and b have the same truth value. So, as its name implies, it can be 
defined as (a = b) A (b= a). It is also commonly known as “a is 
equivalent to b” and “a is necessary and sufficient for b”. 


Exercise: 


Problem: 


Another connective is “exactly-one-of”, which is more traditionally 
called exclusive-or or xor (since it excludes both a and 6 holding, 
unlike the traditional “inclusive” or.) How would you define a “xor” b 


in terms of the above connectives? 


Solution: 


Exactly one is true if either (a is true, and b is false) or (a is false, and 
b is true). So, one way to define itisa Bb=a A ~b V ~a A b. 


The two halves of that formula also correspond to the two true rows of 


xor's truth table: 


a 


false 


false 


true 


true 


Truth table for xor 


(a @ b) 
false 
true 
true 


false 


Note that the conventional a V b is sometimes called inclusive-or, to 
stress that it includes the case where both a and 6 hold. 


In English, the word “or” may sometimes mean inclusive-or, and other 
times mean exclusive-or, depending on context. Sometimes the term 
“and/or” is used to emphasize that the inclusive-or really is intended. 
Exercise: 


Problem: 


For each of the following English sentences, does “or” mean inclusive- 
or or exclusive-or? 


1. “Whether you are tired or lazy, caffeine is just the drug for you!” 

2. “Whether you win a dollar or lose a dollar, the difference in your 
net worth will be noticed.” 

3. “If you own a house or a car, then you have to pay property tax.” 

4. “Give me your lunch money, or you'll never see your precious 
hoppy taw again!” 


Solution: 


1. Inclusive. 
2. Exclusive. 
3. Inclusive. 
4. Exclusive (hopefully). 


formulas 


Well-Formed Formulas 


If we want to develop complicated expressions about breakfast foods like 
eggs, hashbrowns, and so on, we will want an exact grammar telling us how 
to connect the propositions, what connections are allowed, and when 
parentheses are necessary (if at all). We will choose a grammar so that all 
our formulas are fully parenthesized: 


Well-Formed formula (WFF) 
A constant: true or false. (If you prefer brevity, you can write "T" or 
"F".) 
A propositional variable. 
A negation —y, where y is a WFF. 
A conjunction y ^ %, where y and w are WFFs. 
A disjunction y V p, where y and are WFFs. 
An implication y = w, where y and w are WFFs. 


Example: 
a 


Example: 
exe 


Example: 
a A ale 


Example: 


ac V a A ~c, or equivalently, (~c) V (a A =c) 


Example: 
ac V a A 7c => o or equivalently, ((=c) V (a A n7c)) => b 


The last two examples illustrate that we can add parentheses to formulas to 
make the precedence explicit. While some parentheses may be unnecessary, 
over-parenthesizing often improves clarity. We introduced the basic 
connectives in the order of their precedence: ~ has the highest precedence, 
while = has the lowest. Furthermore, A and V group left-to-right: 

a Nb \ c=(a ^ b) A c whereas > groups right-to-left. 


Example: 

We can combine these ways of forming WFFs in arbitrarily complex ways, 
for example, 

mat emit exe PN) (Dt CIN oer E 

While large WFFs are common, and we will use some, ones with this 
much nesting are not. 


Note: ¢, p, and 0 are meta-variables standing for any WFF. The literal 
character "p" doesn't actually show up inside some WFF; but instead, any 
particular formula can be used where we write "p". It is a variable which 
you the reader must substitute with some particular WFF, such as " a = b 
". Similarly, a, b, and c are meta-variables to be replaced with a 


proposition, such as "b". 


Variations of well-formed formulas occur routinely in writing programs. 
While different languages might vary in details of what connectives are 


allowed, how to express them, and whether or not all parentheses are 
required, all languages use WFFs. 


Example: 

When creating the homeworks' web pages, the authors keep the problems 
and solutions together in one file. Then, a program reads that file, and 
creates a new one which either excludes the solution (for the problem set), 
or includes it (for the solution set, and for practice-problems). The 
condition for deciding whether to include the solutions is a WFF. 


;; 1s-a-solution?: paragraph -> boolean 

;; A function to tell if we are looking at a 
"solution" paragraph. 

;; Assume this is provided. 


;; 1S-in-a-practice-prob?: paragraph -> boolean 
;; A function to tell if Is the current problem a 
practice problem? 

;; Assume this is provided. 


;; include-all-solutions?: boolean 
+: A variable for the entire file. 
;; Assume this is provided. 


;; show-or-hide-soln: paragraph -> paragraph 
;; Either return the given paragraph, 

;; or (if it shouldn't be revealed) return a 
string saying so. 


(define (show-or-hide-soln a-para) 
(if (and (1s-a-solution? a-para) 
(not (or include-all-solns? (1is-in-a- 
practice-prob? a-para) )) 


"(see solution set)" 
a-para) ) 


Note that the Boolean variable include-all-solutions? and 
Boolean values of (1S-a-Solution? a-para) and (1iS-in-a- 
practice-prob? a-para) play the part of propositions (is-soln, 
include-solns, is-practice), respectively. The if's condition boils down 
to the WFF is-soln ^ —(include-solns V is-practice). 


Keep in mind that a WFF is purely a syntactic entity. We'll introduce rules 
later for re-writing or reasoning with WFFs, but it's those rules that will be 
contrived to preserve our meaning of connectives like A or 7. The truth 
value of a WFF depends on the truth values we assign to the propositions it 
involves. 


When writing a program about WFFs, verifying syntactic property, 
calculating a value, counting the number of negations or bs, etc., such 
programs exactly follow the definition of WFF given. 


Some formulas are truer than others 


Is the formula A-unsafe V A-has-2 true? Your response should be that it 
depends on the particular board in question. But some formulas are true 
regardless of the board. For instance, A-unsafe V —A-unsafe: this holds 
no matter what. Similarly, A-unsafe ^A —A-unsafe can never be satisfied 
(made true), no matter how you try to set the variable A-unsafe. 


truth assignment 
An assignment of a value true or false to each proposition being used. 


Example: 
For the formula a = a ^ b, one possible truth assignment is a = true 
and b = false. With that truth assignment, the formula is false. 


Note: 
We've used three different symbols to describe "equality" in some sense: 


e a > bisa formula. The symbol "#" is a logical connective. 

e » = wis a statement that two formulas are equivalent — that is, the 
same for all truth assignments. 

e a = true defines the value of a proposition. We also use the symbol 
for defining variables, b = w, and meta-variables, y = w. 


Of these, only "«" occurs within a formula. 

Commonly, people use symbols such as "=" for multiple purposes. This is 
problematic when part of what we are studying are the syntactic formulas 
themselves. 


tautology 
A WFF which is true under any truth assignment (any way of 
assigning true/false to the propositions). 


Example: 
A-unsafe => A-unsafe 


Example: 
iSO Vb 


unsatisfiable 
A WFF which is false under any truth assignment. 


Example: 


— (A-unsafe => A-unsafe) 


Example: 
Gea a, 


Note that in algebra, there are certainly formulas which are true (or 
similarly, false) for all values, but they don't get special names. For 
example, over the real numbers, any assignment to x makes the formula 
zr? > 0 true, so it's similar to a tautology. Similarly, x = £ + 1 is 
unsatisfiable, since it can't be made true for any assignment to z. 


Some people use the term contingency to mean formulas in between: things 
which can be either true or false, depending on the truth assignment. Really, 
tautologies and unsatisfiable formulas are boring. However, trying to 
determine whether or not a formula is a tautology (or, unsatisfiable) is of 
interest. That's what proofs are all about! 


tautologies contingencies unsatisfiable 


Kinds of formulas: tautologies, contingencies, 
unsatisfiables 


Identify the following Yogi Berra quotes either as tautologies, unsatisfiable, 
or neither. (Take these exercises with a grain of salt, since the English 
statements are open to some interpretation.) 

Exercise: 


Problem: " Pitching always beats batting — and vice-versa. " 


Solution: 
Unsatisfiable. 


Exercise: 


Problem: You can observe a lot just by watchin’. 


Solution: 
Tautology, arguably. 


Exercise: 


Problem: Nobody goes there anymore... it's too crowded. 


Solution: 


Unsatisfiable, unless of course you interpret "nobody" as "nobody of 
note". 


Exercise: 


Problem: It sure gets late early out here. 


Solution: 


Neither. If you interpret "gets late" as a social issue but "early" as a 
clock issue, then the statement might be true, depending on where 


"here" is. 
Exercise: 


Problem: 


Always go to other people's funerals; otherwise they won't come to 
yours. 


Solution: 


Unsatisfiable, except perhaps in a karmic sense. 


Finding Truth 


Now that we've seen how to express concepts as precise formulas; we 
would like to reason with them. By "reason", we mean some automated 
way of ascertaining or verifying statements — some procedure that can be 
carried out on an unthinking computer that can only push around symbols. 
In particular, for propositional logic, we'll restrict our attention to some 
(closely related) problems: 


e TAUTOLOGY: given a formula y, is it a tautology? 

e SATisfiability: Give a formula y, is it satisfiable? (Is there some truth 
assignment to its variables, that makes it true?) 

e EQUIV: Given two WFFs and 4, are they equivalent? (Do they 
give the same result for all possible truth assignments to their 
variables? 


Game-specific rules 


Isx V y V za tautology? Clearly not. Setting the three propositions each 
to false, the formula is false. But now consider: Is 

A-has-0 V A-has-1 V A-has-2 a tautology? The answer here is " yes of 
course, ... well, as long we're interpreting those propositions to refer to a 
WaterWorld board. " We'll capture this notion by listing a bunch of domain 
axioms for WaterWorld: formulas which are true for all WaterWorld boards. 


There are a myriad of domain axioms which express the rules of 
WaterWorld. Here are a few of them: 


e A-has-0 => B-safe ^A G-safe 
e A-has-2 => B-unsafe ^A G-unsafe 


A more complete list is here. Whenever we deal with WaterWorld, we 
implicitly take all these domain axioms as given. 


Propositional Logic: truth tables 


Seeing how we can express some concepts as some formulas, and how some formulas are tautologies while others 
might be true or false depending on the truth assignment, we come to a question: how can we determine when a 
formula is a tautology? How can we tell if two different formulas are equivalent for all truth assignments? We'll 
look at three different methods of answering these questions: 


e reasoning with truth tables (this section), 
e reasoning with equivalences, and 
e reasoning with inference rules. 


Using Truth Tables 


Is = associative? In other words, is a = (b = c) always equivalent to a = b => c? What is a methodical way of 
answering questions of this type? We can make a truth table with two output columns, one for each formula in 
question, and then just check whether those two columns are the same. 

Exercise: 


Problem: Use truth tables to show that a = (b = c) and (a = b) > c aren't equivalent. 


Solution: 
a b c (a = (b = ¢)) ((a > b) > c) 
false false false true false 
false false true true true 
false true false true false 
false true true true true 
true false false true true 
true false true true true 
true true false false false 
true true true true true 


Truth table to check associativity of implication 


By inspecting the two right-most columns, we see that the formulas are indeed not equivalent. They have 
different values for two truth-settings, those with a = false and c = false. 


Thus we see that truth tables are a method for answering questions of the form “Is formula y equivalent to formula 
w?” We make a truth table, with a column for each of y and 4, and just inspect whether the two columns always 
agree. A bit of a brute-force solution, but certainly correct. 


What about the related question, “Is formula 0 a tautology?”. Well, obviously truth tables can handle this as well: 
make a truth table for the formula, and inspect whether all entries are true. For example, in the above problem, we 
could have made a truth table for the single formula a = (b > c) = (a = b) => c. The original question of 
equivalence becomes, is this new formula a tautology? 


The first approach is probably a tad easier to do by hand, though clearly the two approaches are equivalent. 
Another handy trick is to have three output columns you're computing: one for p = a => (b > c), one for 

w = (a = b) > c, and one for y > 4; filling out the first two helper columns makes it easier to fill out the last 
column. 


Note: When making a truth table for a large complicated WFF by hand, it's helpful to make columns for sub- 
WFFs; as you fill in a row, you can use the results of one column to help you calculate the entry for a later 
column. 


Exercise: 


Problem: Is it valid to replace the conditional 


int do_something(int valuei1, int value2) 


{ 
bool a = ...; 
bool b = ..; 
if (a && b) 
return valuet; 
else if (a || b) 
return value2; 
else 
return valuet; 
} 


with this conditional? 


int do_something(int valuei, int value2) 
{ 

bool a mi 

bool b Pa 


if ((a && !b) || (!a && b)) 
return value2; 

else 
return value1; 


After all, the latter seems easier to understand, since it has only two cases, instead of three. 


Solution: 


In the original code, we return value2 when the first case is false, but the second case is true. Using a WFF, 


when =(a A^ b) A (a V b). Is this equivalent to the WFF a ^ ~b V ~a ^ b? Here is a truth table: 


a b 

false false 
false true 
true false 
true true 


Truth table for comparing conditionals' equivalence 


Yes, looking at the appropriate two columns we see they are equivalent. 


a(a/Ab) 


true 
true 
true 


false 


(avb) 


false 
true 
true 


true 


(= (a ^b) A (a V b)) 


false 
true 
true 


false 


(a A =b) 


false 
false 
true 


false 


(~a ^b) 


false 
true 
false 


false 


((a ^ 
false 
true 
true 


false 


So, how would do we use truth tables to reason about WaterWorld? Suppose you wanted to show that G-safe was 


true on some particular board. Clearly a truth table with the single column G-safe alone isn't enough (it would 
have only two rows — false and true — and just sit there and stare at you). We need some way to incorporate 
both the rules of WaterWorld and the parts of the board that we could see. 


We can do that by starting with a huge formula that was the conjunction of all the WaterWorld domain axioms; 


call it p. We would encode the board's observed state with another formula, 7. Using these, we can create the 


(rather unwieldy) formula that we're interested in: 9 A w= G-safe. (Notice how this formula effectively ignores 
all the rows of the the truth-table that don't satisfy the rules p, and the rows that don't correspond to the board we 
see w: because of the semantics of =, whenever p ^ 4 is false, the overall formula ^A w = G-safe is true.) 


Propositional Logic: limitations of truth tables 


Are we done yet? 


Are we done with propositional logic, now that we can test for equivalence 
and tautologies, using truth tables? Possibly. Truth tables can answer any 
question about propositional logic, but not always conveniently. 


Consider the following code: 


bool do_something(int value) 


t D 


bool b e 


if (a && !b) 
return true; 
else if (!a && !b) 
return false; 

else if (a) 
return a; 
else if (b) 
return false; 
else 
return true; 


} 


Clearly, this is very ugly and should be simplified. But to what? We could 
build a truth table for the corresponding WFF, but so far we don't have any 
better way of finding a simpler equivalent formula than testing equivalence 
with whatever comes to mind. We need some way to generate formulas, 
given either an equivalent formula or a truth table. 


There is another practical difficulty with truth table: they can get unwieldy. 
Exercise: 


Problem: 


How many rows are there in a truth table with 2 input variables? 3 
variables? 5 variables? 10 variables? n variables? 


Solution: 


e 2 variables: As we're seen, 4 rows. 
e 3 variables: 8 rows. 

e 5 variables: 32 rows. 

e 10 variables: 1024 rows. 

e n variables: 2” rows. 


Exercise: 


Problem: 


(Optional) Now, how many such boolean functions are possible, with 
2 inputs? With 3? For fun, sit down and name all the possible two- 
input functions. You'll find that some of them are rather boring, such as 
the constant function true, and many are just permutations on =>. 


Solution: 


e With 2 variables, we have 4 rows. How many different ways can 
we assign true and false to those 4 positions? If you write them 
all out, you should get 16 combinations. 

e With 3 variables, we have 8 rows and a total of 256 different 
functions. 

e With n variables, we have 2” rows and a total of 22” different 
functions. That's a lot! 


When discussing a circuit with 100 wires (each corresponding to a single 
proposition), truth tables are clearly infeasible. Modern processors have 
millions of wires and transistors. It is still an area of active research to cope 
with such a huge number of possibilities. (The key idea is to break things 


down into small sections, prove things about the small sections, and 
hopefully have a small set of sentences formally capturing the interface 
between sections.) 


So truth tables are intractable for analyzing circuits of more than a few 
wires. But will they suffice for answering WaterWorld questions? Image a 
(large) table with all the neighbor propositions: A-has-0, B-has-0, ..., 
A-has-1, B-has-1, ... Now, determine which rows which entail B-safe. To 
answer this, we end up looking at rows involving many clearly-irrelevant 
propositions such as Z-has-2. 


Note: Hmm, considering every possible board and then counting what 
proportion of boards entail B-safe — hmm, this is the brute-force 
definition of probability! Since such truth tables enumerates all possible 
boards, it's like looking for probability 1 the brute-force way. 


Also, this method of playing WaterWorld via huge truth tables would be 
unsatisfying for another reason: it doesn't actually reflect our own 
reasoning. As a general principle of programming, your program should 
always reflect how you conceive of the problem. The same applies to logic. 


Note: Consider the difference between using truth tables and actually 
reasoning. The philosopher Bertrand Russell, trying to pin down what 
exactly constitutes “knowledge”, suggested that he knows that the last 
name of Britain's prime minister begins with a 'B'. While Gordon Brown is 
prime minister, making Bertrand is correct, we hesitate to say he actually 
knows the fact — he wrote his example when the prime minister was 
Arthur Balfour (1902-1905). So while he is correct in a truth-table sense, 
his reasoning isn't, and we tend to say that he does not actually know the 
prime minister's last initial. 


So, no: we're not yet finished with propositional logic. We want to look for 
(hopefully) more feasible ways to determine whether a formula is a 
tautology (or, whether two formulas are equivalent). As a clue, we'll try to 
discover methods which are based on the way we naively approach this. 
We'll look first at equivalences, and then at inference rules. 


Propositional Logic: equivalences 


Propositional Equivalences 


What are the roots of x? — 4x? Well, in high-school algebra you learned 
how to deal with such numeric formulas: 


= x (x? — 4) factor out x 


The identity 
= x (x — 2) (a+ 2) a? — b? = (a + b) (a — b) witha 
being z, and b being 2. 


This last expression happens to be useful since it is in a form which lets us 
read off the roots 0, +2, -2. The rules of algebra tell us that these three 
different formulas are all equivalent. In fact, our very definition of two 
formulas being equivalent is that for any value of x the two formulas return 
the same value. We are distinguishing between syntax (the expression 
itself, as data), and semantics (what the expression means). Usually, when 
presented with syntax, one is supposed to bypass that and focus on its 
meaning (e.g., reading a textbook). However, in logic and post-modern 
literature alike, we are actually studying the interplay between syntax and 
semantics. The general gist is that in each step, you rewrite subparts of your 
formula according to certain rules (“replacing equals with equals”). 


Well, we can use a similar set of rules about rewriting formulas with 
equivalent ones, to answer the questions of whether two formulas are equal, 
or whether a formula is a tautology. George Boole was the first to realize 
that true and false are just values in the way that numbers are, and he first 


codified the rules for manipulating them; thus Boolean algebra is named in 
his honor. 


Note: The term “algebra” comes from the values true, false and operators 


/\, V having some very specific properties similar to those of numbers with 
eh 


Again, each individual step consists of rewriting a formula according to 
certain rules. So, just what are the rules for manipulating Boolean values? 
We'll start with an example. 


Example: 


1 a ^ false V b A true 


2 = false V b ^ true Dominance of false over ^ 

3 =b A^ true V false Commutativity of V 

4 =b A^ true Identity element for V is false 
5 =b Identity element for / is true 


Thus we have a series of equivalent formulas, with each step justified by 
citing a propositional equivalence. By and large, the equivalences are rather 
mundane. A couple are surprisingly handy; take a moment to consider 
DeMorgan's laws. 


a“(p A ~) ==> V w “(ep V p) == A w 


(Try y being “Leprechauns are green”, and Y% being “Morgana Le Fay likes 
gold”. Do these laws make sense, for each of the four possible truth 
assignments?) Augustus DeMorgan was also an important figure in the 
formalization of logic. 


Augustus DeMorgan (1806-1871) 


Here is another example. For a statement y = y, the contrapositive of that 
formula is ~a% = ~g. We can show that a formula is equivalent to its 
contrapositive: 


Example: 
Contrapositive 


2 = 79 V% Definition of > 


3 =y V A» Commutativity of V 
4 = any V no Double Complementation 
5 Z WV- P Definition of = 


Don't confuse the contrapositive of a statement with the converse of a 
formula: The converse of y = w is the formula Y% = y; in general a 
formula is not equivalent to its converse! 


This next example is actually a proof of one of the laws from the given list, 
using (only) others from the list. 


Example: 
Absorption of V 


1 gy hyv 


2 =p AY V Ņ% A true Identity of ^ 
3 =v N V% ^ true Commutativity of V 
4 =w ^ (p V true) Distributivity of ^ over V 


5 =w A^ true Dominance of V 


6 =) Identity of A 


Exercise: 


Problem: 


Show that the “Absorption of A” equivalence holds, given the other 
equivalences. I.e., show (a V b) A b=b. 


Solution: 


1 (a V b) Ab 


2 = (a V b) A (b v false) Identity of V 

3 =(b V a) A (b v false) Commutativity of V 

4 hy aA ne of V over 
5 =b V false Dominance of /\ 

6 =b Identity of V 


Compared to proofs using truth tables, Boolean algebra gives us much 
shorter proofs. But, determining which equivalence to use in the next step 
of a proof can be difficult. In this case, compare the solution for this 


exercise to the previous absorption proof. These two proofs have a special 
dual relationship described in the next section. 
Exercise: 


Problem: 


Show that the modus ponens rule, a ^ (a = b) = b always holds. 
I.e., show that it is a tautology, and thus equivalent to true. 


Solution: 
1 a A (a=>b)>b 
2 =a ^ (~a V b)>b Definition of > 
3 ee ee ee sas) of V over 
4 = fale Va A b=>b Complement 
5 =a ^ b V false => b Commutativity of V 
6 =a Abb Identity of V 
7 =n(a A b) Vb Definition of > 
8 =-a V -b Vb DeMorgan's law 
9 =-a V b Vb Associativity of V 
10 =-a V b V =b Commutativity of V 


11 =-a V true Complement 


12 = true Dominance of V 


So, what would it mean to use Boolean algebra as reasoning for 
WaterWorld? That is, if you wanted to show that G-safe was true, how 
would you do that using Boolean algebra? As with truth-tables, we would 
take the conjunction of all the WaterWorld domain axioms (call it p), and 
the board's observed state (Y). We would then want to show that asserting 
G-safe was already equivalent to the rules-and-observed-state: 
p\w=p Awd Gsafe. 


Duals (optional) 
Duals: a symmetry between ^, V mediated by ~. 


Looking at the provided propositional equivalences, you should notice a 
strong similarity between those for V and those for ^A. Take any 
equivalence, swap Vs and ^s, swap trues and falses, and you'll have 
another equivalence! For instance, there are two flavors of DeMorgan's law, 
which are just duals of each other: 


a“(p A ~) == V w “(ep V Y) ==> A w 


Note: In terms of circuit diagrams, we can change each AND gate to an 
OR gate and add negation-bubbles to each gate's inputs and outputs. The 
principle of duality asserts that this operation yields an equivalent circuit. 


The idea of duality_is more general than this. For example, polyhedra have a 
natural dual of interchanging the role of vertices and faces. 


Propositional Logic: normal forms 


CNF, DNF, ... (ENufF already!) 


In high school algebra, you saw that while z? — 4x and x (x — 2) (x + 2) are equivalent, the second form is 
particularly useful in letting you quickly know the roots of the equation. Similarly, in Boolean algebra there are 
certain canonical — “normal” — forms which have nice properties. 


A formula in Conjunctive Normal Form, or CNF, is the conjunction of CNF clauses. Each clause is a formula of 
a simple form: a disjunction of possibly-negated propositions. 


Example: 
c= a ^ bis equivalent to (a V =c) A (b V ~c). This latter formula is in CNF, since it is the conjunction of 
disjunctions, and each disjunction consists only of propositions and negated propositions. 


Example: 

The conjunctions and disjunctions need not be binary. The following formula is also is CNF. 

ma A (GV bY oc) A (b Yad Ve V 7) 

Note that its first clause is just one negated proposition. It is still appropriate to think of this as a disjunction, since 
QO=@ VW ©, 


Another format, Disjunctive Normal Form, or DNF is the dual of conjunctive normal form. A DNF formula is 
the disjunction of DNF clauses, each a conjunction of possibly-negated propositions. 


Example: 

a ^ b= cis equivalent to ~a V ~b V c whichis in DNF: three disjunctions, each being a clause with only 
one term. (It also happens to be in CNF — a single clause with three terms!) It is also equivalent to the more 
fleshed out DNF formula where we insist that each clause include all three variables. We end up with a formula 
that includes each possible clause except a ^A b ^A ~c: That is, the formula 

@ A wA GY @ A ab AO) VY @ A a0 A =e) V Ge A OA OC} VY Ge AoA =e) VY Ga Aco 


Note: Electrical Engineering courses, coming from more of a circuit perspective, sometimes call CNF product- 
of-sums, and call DNF sum-of-products, based on V,^ being analogous to +,*. 


Any Boolean function can be represented in CNF and in DNF. One way to obtain CNF and DNF formulas is based 
upon the truth table for the function. 


e A DNF formula results from looking at a truth table, and focusing on the rows where the function is true: As 
if saying “I'm in this row, or in this row, or ...”: For each row where the function is true, form a conjunction 
of the propositions. (E.g., for the row where a is false, and b is true, form ~a ^ b.) Now, form the 
disjunction of all those conjunctions. 

e A CNF formula is the pessimistic approach, focusing on the rows where the function is false: “I'm not in this 
row, and not in this row, and ...”. For each row where the function is false, create a formula for “not in this 


row”: (E.g., if in this row a is false and b is true form ~ (~a ^ b); then notice that by DeMorgan's law, this 
isa V —b— a disjunct. Now, form the conjunction of all those disjunctions. 


Example: 
a b c Unknown function 
false false false false 
false false true false 
false true false true 
false true true true 
true false false false 
true false true true 
true true false false 
true true true false 


Truth table example 


For CNF, the false rows give us the following five clauses: 


and the full formula is the conjunction of these. Essentially, each clause rules out one row as being true. 
For DNF, the true rows give us the following three clauses: 


O = A fo iN Se 
e—a JN lb AE 
Oa A al AE 


and the full formula is the disjunction of these. Essentially, each clause allows one row to be true. 


This shows that, for any arbitrarily complicated WFF, we can find an equivalent WFF in CNF or DNF. These 
provide us with two very regular and relatively uncomplicated forms to use. 
Exercise: 


Problem: 


The above example produced CNF and DNF formulas for a Boolean function, but they are not the simplest 
such formulas. For fun, can you find simpler ones? 


Solution: 


e CNF: (a V b) A (a Vbv c) A (~a V >) 
e DNF: (~a A b) V (a A 7b A ©) 


Note: Karnaugh maps are a general technique for finding minimal CNF and DNF formulas. They are most 
easily used when only a small number of variables are involved. We won't worry about minimizing formulas 
ourselves, though. 


Notation for DNF, CNF 
Sometimes you'll see the form of CNF and DNF expressed in a notation with subscripts. 


e DNF is Vipi, where each clause p; is ^jÀj, where each À is a propositional variable (Prop), or a negation of 
one (— Prop). 

e CNF is A;%;, where each clause y; is V ;A;, where each A is again a propositional variable (Prop), or a 
negation of one (— Prop). 


For example, in the CNF formula (a V b) A (~a V b V c) A (~a V =b) we have p =-a V bV c 
within that clause we have A, = ~a. 


One question this notation brings up: 


e What is the disjunction of a single clause? Well, it's reasonable to say that ~ = a. Note that this is also 
equivalent to ọ V false. 

e What is the disjunction of zero clauses? Well, if we start with y = w V false and remove the w, that leaves 
us with false! Alternately, imagine writing a function which takes a list of booleans, and returns the V of all 
of them — the natural base case for this recursive list-processing program turns out to be false. Indeed, this is 
the accepted definition of the empty disjunction. It follows from false being the identity element for V. 
Correspondingly, a conjunction of zero clauses is true. 


Actually, that subscript notation above isn't quite correct: it forces each clause to be the same length, which isn't 
actually required for CNF or DNF. For fun, you can think about how to patch it up. (Hint: double-subscripting.) 


Note that often one of these forms might be more concise than the other. Here are two equivalently verbose ways 
of encoding true, in CNF and DNF respectively: (a V ~a) A (b V =b) A... A (z V ~z) is equivalent to 
(@aNbAcCA...ANyYA2)V(AKBACA...N yA nz) V (AN BACA... A ay A 2) V 
. The first version corresponds to enumerating the choices for each location of a WaterWorld board; it has 26 two- 
variable clauses. This may seem like a lot, but compare it to the second version, which corresponds to enumerating 
all possible WaterWorld boards explicitly: it has all possible 26-variable clauses; there are 276 ~ 64 billion of them! 


soundness and completeness 
The soundness and completeness of a system. 


Are we done yet? 


We have shown procedures, using both truth tables and equivalences, for 
solving two different logic problems: 


e Equivalence: Show whether or not two WFFs y and w are equivalent 
(the same under any truth assignment); 

e Tautology: Show whether or not a given WFF is a tautology (true 
under all truth assignments). 


Exercise: 


Problem: 


Which of these two logic problems seems harder than the other? That 
is, suppose you have a friend who can solve any Equivalence problem 
efficiently. But you want to open a business which will solve any 
Tautology problem efficiently. Can you open your business and, by 
subcontracting out specific Equivalence problems to your friend, really 
solve any Tautology problem brought to you? This question is 
sometimes phrased as " Does Tautology reduce to Equivalence? " Or, 
does it work the other way: does Equivalence reduce to Tautology? 


Solution: 


We can indeed reduce the question of Tautology to the question of 
Equivalence: if somebody asks you whether y is true, you can just turn 
around and ask your friend whether the following two formulas are 
equivalent: y, and true. Your friend's answer for this variant question 
will be your answer to your customer's question about y. Thus, the 
Tautology problem isn't particularly harder than the Equivalence 
problem. 


But also, Equivalence can be reduced to Tautology: if somebody asks 
you whether @ is equivalent to W, you can construct a new formula 


(py > Ww) A (w => vy). This formula is true exactly when ọ and y are 
equivalent. So, you ask your friend whether this bigger formula is a 
tautology, and you then have your answer to whether the two original 
formulas were equivalent. Thus, the Equivalence problem isn't 
particularly harder than the Tautology problem! 


Given these two facts (that each problem reduces to the other), we 
realize that really they are essentially the same problem, in disguise. 


But we have a more fundamental question to ask, about the method of using 
Boolean algebra (propositional equivalences) to prove something: Where 
does the initial list of allowable equivalences come from, and how do we 
know they're valid? The answer is easy — each equivalence can be verified 
by a truth table! 

Exercise: 


Problem: 


Using a truth table, show the validity of conjunctive Redundancy: 
p Ay V Y=HpAH 


Solution: 


Compare the last two columns in the following: 


a b aa V b a ^N (~a V b) a ^b 
false false true false false 
false true true false false 


true false false false false 


a b aa V b a ^N (~a V b) a ^b 
true true true true true 


Truth table to prove validity of conjunctive Redundancy 


This is called soundness of Boolean algebra: If, using our propositional 
equivalence rules, we derive that @ and y are equivalent, then truly they are 
equivalent. (Whew!) 


By the way, there is one subtle point: our truth table tells us that a ^ b and 
b A a are equivalent. But then suddenly we generalize this to saying that 
for any formulas ọ and y, y A pandy A ware also equivalent. What 
lets us justify that step? It's because any given formula will be either true or 
false, so we can reduce the entire formula to a single true/false proposition. 


Is Boolean algebra enough? Does our list of allowable propositional 
equivalences include everything you'll need? That is, could I have asked as 
a homework problem to show some two formulas equivalent (using 
Boolean algebra), and even though they really are equivalent, there aren't 
enough rules to on our list to let you finish the homework? Hmm, good 
question! The property we desire here is called the completeness of 
Boolean algebra: any equivalence which is true can be proved. 


It turns out that, given any two formulas which really are equivalent, 
Boolean algebra is indeed sufficiently powerful to show that. Put both 
formulas into CNF (or, DNF); if the truth tables are equal then the CNF 
formulas will be equal. (Well, there are a few details to take care of: you 
have to order the clauses alphabetically, eliminate any duplicate clauses, 
and include all variables in each clause. This might be tedious, but not 
difficult.) Thus, Boolean algebra is complete, since (we state without proof) 
this procedure can always be carried out. 


The concepts of soundness and completeness can be generalized to any 
system. 


soundness 
If the system (claims to) prove something is true, it really is true. 


completeness 
If something really is true, the system is capable of proving it. 


Propositional Logic: inference rules 


Inference 


Truth tables and equivalences are useful and powerful tools, but they do not correspond to 
how we usually reason about things. What we will do now is look at more familiar 
reasoning and how to formalize that. For example, with Boolean algebra it is awkward to 
prove that a ^ b implies a. For that, it is necessary to reword the problem in terms of 
equivalences, asa ^ b => a = true. Our next tool provides a more straightforward way to 
reason about implications. 


Example: 
Given the following piece of a WaterWorld board, how would you conclude that G is 
unsafe? 


A glimpse of a 
WaterWorld board 


Since H-has-2, at least two of H's three neighbors must be unsafe. But, since we know 
that one of these, J, isn't unsafe, then the two others, including G, must both be unsafe. 
Let's write this out more explicitly: 


1 H-has-2would imply one of the following is true: ( WaterWorld 
P-unsafe and G-unsafe), or (J-unsafe and domain axiom, i.e., 
P-unsafe), or (G-unsafe and J-unsafe). definition of 


H-has-2 


Premise (by 
2 H-has-2 is true. inspection of this 
particular board) 


One of the following is true: (P-unsafe and 
8 G-unsafe), or (J-unsafe and P-unsafe), or ( lines 1,2 


G-unsafe and J-unsafe). 


Premise (by 


4 not J-unsafe 3 , 
inspection) 

5 (P-unsafe and G-unsafe) lines 3,4 

6 G-unsafe line 5 


Whew! A lot of small steps are involved in even this small deduction. It's apparent we'd 
want to automate this as much as possible! Let's look at some other short examples, which 
we'll formalize in a moment. 

Exercise: 


Problem: How do you know that A-has-2 proves B-unsafe ? 
Solution: 
Intuitively, this is straightforward. Since A-has-2, then both of its two neighbors, 


including B, must be unsafe. For this problem, let's be a bit more formal and use WFFs 
instead of prose in the steps. 


1 A-has-2 Premise 


WaterWorld domain axiom, i.e., 


2 A-has-2 = B-unsafe ^A F-unsafe definition of A-has-2 


3 B-unsafe ^A F-unsafe lines 1,2 


4 B-unsafe line 3 


Exercise: 


Problem: Similarly, how do you reason that A-has-1 and G-safe prove B-unsafe? 
Solution: 
Again a similar idea, if A-has-1, then at least one of A's two neighbors must be 


unsafe. But, since we know that one of these, G isn't unsafe, then the other, B, must be 
unsafe. 


WaterWorld 

1 A-has-1 = B-safe A G-unsafe V B-unsafe ^A G-safe domain 
axiom 

2 A-has-1 Premise 

3 B-safe ^A G-unsafe V B-unsafe ^A G-safe lines 1,2 

4 G-safe Premise 

5 B-unsafe ^A G-safe lines 3,4 

6 B-unsafe line 5 


Formal inference rules and proofs 


In the above examples, we relied on common sense to know what new true formulas could 
be derived from previous ones. Unfortunately, common sense is imprecise and sometimes 
wrong. So, we need to formalize how we form proofs. 


We now define a formal proof of 0 from the premises y, ..., 7, written 
Equation: 


P,- pF 0 


(A proof with no premises simply means there is nothing on the left of the turnstile: F 6.) 
For example, we'll show shortly that H-has-2 | G-unsafe. A proof consists of a sequence 
of WFFs, each with a justification for its truth. We will describe four permissible 
justifications for each step: 


e A premise. 

e An axiom. 

e An inference rule. 
e A subproof. 


Note: Officially we might want to annotate the turnstile with “ww”, to mean “proves 
within the WaterWorld inference system”, indicating our use of the WaterWorld domain 
axioms. If you're proving things about other domains, you'd use different domain axioms. 


Example: 
We can formalize the above examples to show each of the following: 


e H-has-2 | G-unsafe 
e A-has-2 | B-unsafe 
e A-has-1,G-safe | B-unsafe 


See below for formal proofs of some of these. 


Stating an axiom, a simple assumed truth, is a rather trivial, boring way of coming up with 
a true formula. Some axioms are domain axioms: they pertain only to the domain you are 
considering, such as WaterWorld. In our case, we don't have any axioms that aren't domain 
axioms. If our domain were arithmetic, our axioms would describe how multiplication 
distributes over addition, etc. 


Just using axioms is not enough, however. The interesting part is to deduce new true 
formulas from axioms and the results of previous deductions. 


Note: “The point of philosophy is to start with something so simple as not to seem worth 
stating, and to end with something so paradoxical that no one will believe it.” Bertrand 
Russell, The Philosophy of Logical Atomism 


An inference rule formalizes what steps are allowed in proofs. We'll use this list of valid 
inference rules as our definition, but, this is just one set of possible inference rules, and 
other people could use slightly different ones. 


First, let's look at some simple examples, using the simpler inference rules. 


Example: 
We'll formalize a previous exercise to show A-has-2 | B-unsafe. 


1 A-has-2 Premise 
2 A-has-2 => B-unsafe A F-unsafe WaterWorld domain axiom 


= Elim, lines 1,2, where 
3 B-unsafe ^ F-unsafe y = A-has-2, and 
yw = B-unsafe ^A F-unsafe 


/\Elim (left), line 3, where 


4 B-unsafe y = B-unsafe, and Y% = F-unsafe 


What we mean in line 3, for example, is that we are using the domain axiom =Elim. That 
states that if we know y = 4%, and we know y, then we can conclude w. In line 3, we have 
defined y = A-has-2 and y = B-unsafe ^A F-unsafe, so that y = w corresponds to the 
conclusion of line 2 and y corresponds to that of line 1. Thus, this domain axiom applies, 
and we get the conclusion w. 

That's almost exactly like the steps we took in the previous informal proof, but now we're a 
bit pickier about our justifications for each step. 


Formally, when using a domain axiom, the justification is a combination of the name of that 
inference rule, the line numbers of which previous WFFs are being used, and a description 
of how those WFFs are used in that inference rule in this particular step. Later, we'll often 
omit the description of exactly how the specific inference rule is used, since in many cases, 
that information is painfully obvious. 


Example: 
In this system, commutativity of A and V are not among the inference rules. However, they 
do follow. For example, consider the following proof of A A BF BA A. 


1 AAB Premise 

2 A /Elim (left), line 1, where y = A 

3 B /Elim (right), line 1, where y = B 

4 BAA (Intro, lines 3,2, where y = B, and y = A 


Does this example also show that C A Dt D A C? Well, yes and no. That proof does 
not have anything to do with propositions C and D. But, clearly, we could create another 
nearly identical proof for C A Dt D A C, by substituting C and D for A and B, 
respectively. What about proving the other direction of commutativity: B A AF A A B? 
Once again, the proof has exactly the same form, but substituting B and A for A and B, 
respectively. Stating such similar proofs over and over is technically necessary, but not very 
interesting. Instead, when the proof depends solely on the form of the formula and not on 
any axioms, we'll use meta-variables to generalize. 


Example: 
Generalized ^A commutativity: x A vFv A x 


1 x Av Premise 
2 v /Elim (left), line 1, where y = x 


3 x /Elim (right), line 1, where Y = v 


4 wv AX Altro, lines 3,2, where yp = v, and Y = x 


Exercise: 


Problem: 


Similarly, associativity of ^A and V are not among the inference rules. This is a 
particularly important detail, since our WaterWorld domain axioms frequently use 
formulas of the forma ^ b A c, which isn't technically legal according to our 
definition of WFFs. What we'd like to show is thaty Av AwFxyx Av A wand 
xX Nv ANwkx Av A was wellas the equivalent for V. Thus, when we see 
three, four, or more terms in a conjunction (or disjunction), we can legitimately group 
them as we see fit. 


Solution: 


Here, we'll show only x Av A wk yxy A v A wand leave the other direction (and 
V's associativity) to the reader. These are all very similar to the previous 
commutativity example. 


1 xv ^w Premise 

2 xX Av /Elim (left), line 1 
3 x /Elim (left), line 2 
4 Vv /Elim (right), line 2 
5 wW A^Elim (right), line 1 
6 v Nw (Intro, lines 4,5 

7 xX NvAw Intro, lines 3,6 


Note that we omitted the detailed explanation of how each rule applies, since this 
should be clear in each of these steps. 


These deductions are straightforward and should be unsurprising, but perhaps not too 
interesting. These simple rules can carry us far and will be used commonly in other 
examples. 


Example: 

The case-elimination rule is easy enough for a dog! Rico has a vocabulary of over 200 
words, and if asked to fetch an unknown toy, he can pick it out of a group of known toys 
by process-of-elimination. (It's almost enough to make you wonder whether dogs know 
calculus.) 


This 
Border 
Collie 
knows his 
inference 
rules. 


There is a subtle difference between implication (=) and provability (—). Both embody the 


idea that the truth of the right-hand-side follows from the left-hand-side. But, = is a 
syntactic formula connective combining two WFFs into a larger WFF, while | combines a 
list of propositions and a WFF into a statement about provability. 
Exercise: 


Problem: 


Show that, y F w is equivalent to F y = w in that, we can show one if and only if we 
can show the other. 


Solution: 


First, if we know y F 4, then that means there is some written proof... we know 
- py => y, simply by >Intro. 


If we know F oy = y, then if we add a premise y, then w follows by =Elim. 


Note how this proof is about other proofs! (However, while we reason about this 
particular inference system, we're not using this system while proving things about it 
— this proof is necessarily outside the inference system. 


using subproofs 
Using subproofs, to show RAA or to aid in presentation. 


Subproofs 


The reductio ad absurdum ("RAA"), Latin for "reduction to absurdity", seems very strange: If we can prove that 
false is true, then we can prove the negation of our premise. Huh!?! What on Earth does it mean to prove that false 
is true? 


This is known as proof-by-contradiction. We start by making a single unproven assumption. We then try to prove 
that false is true. Clearly, that it nonsense, so we must have done something wrong. Assuming we didn't make any 
mistakes in the individual inference steps, then the only thing that could be wrong is the assumption. It must not 
hold. Therefore, we have just proven its negation. 


This form of reasoning is often expressed via contrapositive. Consider the slogan " If you paid list price, you 
didn't buy it at SuperMegaMart. " (This is a contrapositive, because the real statement the advertisers want to make 
is that if you buy it at SuperMegaMart, then you won't pay list price.), which we'll abbreviate 

payFull > —boughtAtSMM. You know this slogan is true, and you just made a SuperMegaMart purchase ( 
bought AtSMM), and are suddenly wanting a proof that you got a good deal. Well, suppose we didn't. That is, 
suppose payF ull. Then by the truth of the marketing slogan, we infer — bought AtSMM. But this contradicts 
boughtAtSMM (that is, from — boughtAtSMM and bought AtSMM together we can prove that false is true). 
The problem must have been our pessimistic assumption payFull; clearly that couldn't have been true, and we're 
happy to know that = payFull. 


Example: 

Spot the proof-by-contradiction used in The Simpsons: 

Bart, filing through the school records: " Hey, look at this: Skinner makes $25,000 per year! " 
Other kids: "Ooooh!" 

Milhouse: " And he's 40 years old; that makes him a millionaire! " 

Skinner, indignantly: " I wasn't a principal when I was 1!" 

Milhouse: " And, he paints houses during the summer ... he's a billionaire! " 

Skinner: " If I were a billionaire, would I still be living with my mother? " [Kids' laughter] 
Skinner, to himself: " The kids just aren't responding to logic anymore! " 


In the particular set of inference rules we have chosen to use, RAA is surprisingly important. It is the only way to 
prove formulas that begin with a single "=". [footnote] 

This is an example of reasoning about our logic system. It shows us that while we might have some redundant 
inference rules, RAA isn't one of them. The only other rule which produces formulas starting with an initial "=" is 


aIntro. Is this also essential, or could we still prove all the same things even without Intro? 


Example: 
We'll prove =~ (œ A ~a). 


1 subproof:@ A ~a F false 


1.a a A\ 7a Premise for subproof 


AElim (left), line 1.a, where y = a, 


Lb a adh = =e 
AElim (right), line 1.a, where y = a 
e =Q 
, and Y = ~ga 
1d false falseIntro, lines 1.b,1.c, where 
p=a 
2 n RAA, line 1, where 
p=a \ 74 
Exercise: 
Problem: 


Here's another relatively simple example which uses RAA. Show that the modus tollens rule holds: 
a => BABE ~a 


Solution: 
1 a> BP Premise 
2 AB Premise 
3 subproof:a + false 
3.a a Premise for subproof 
3.b B =Elim, lines 1,3.a 
3.C false falseIntro, lines 2,3.b 
4 7a RAA, line 3 


Another use of subproofs is to organize proofs' presentations. Many proofs naturally break down into larger 
subparts, each with its own intermediate conclusion. These steps between these subparts are big enough to 
correspond to our intuition, but too big to correspond to individual inference rules. This gives additional useful 
structure to a proof, aiding our understanding. 


Example: 

Previously, we showed that A (AND) commutes. However, that conclusion is only directly applicable when the A 
is at the "top-level", i.e., not nested inside some other connective. Here, we'll show that A commutes inside ~, or 
more formally, = (œ A 8) =(8 A a). 


Note: When doing inference-style proofs, we will not use the Boolean algebra laws nor replace subformulas with 
equivalent formulas. Conversely, when doing algebraic proofs, don't use inference rules! While theoretically it's 
acceptable to mix the two methods, for homeworks we want to make sure you can do the problems using either 
method alone, so keep the two approaches separate! 


We'll do two proofs of this to illustrate that there's always more than one way to prove something! 

In our first proof, we'll use RAA. Why? Looking at our desired conclusion, what could be the last inference rule 
used in the proof to reach the conclusion? By the shape of the formula, the last step can't use any of the 
"introduction" inference rules (A Intro, VIntro, >Intro, falseIntro, or -Intro). We could potentially use any of the 
"elimination" inference rules. But, for AElim, V Elim, Elim, ~Elim, or CaseElim, we would first have to prove 
some more complicated formula to obtain our desired conclusion. That seems somewhat unlikely or unnecessary. 
For falseElim, we'd have to first prove false, i.e., obtain a contradiction, but our only premise isn't self- 
contradictory. The only remaining option is RAA. 


1 a(a A 8) Premise 

2 subproof:8 A aF false 

2.a bAa Premise for subproof 

2.b ang Theorem: A commutes, line 2a 

Dee false falselIntro, lines 1,2.b 

3 a(a A B) RAA, line 2 


The proof above uses a subproof because it is necessary for the use of RAA. In contrast, the proof below uses two 
subproofs simply for organization. 
For our second proof, let's not use RAA directly. Our plan is as follows: 


e Assume the premise = (œ ^ £). 
e Again, use commutativity to show that 86 A a>a ^ 8 


e Use modus tollens to obtain the conclusion. 


We can organize the proof into corresponding subparts: 


1 a(a A B) Premise 
2 subproof:8 A a>a A B 


Theorem statement: A 


Da BANakadA B pe: 


2.b Draca B =Intro, line 2.a 


3 subproof:= (8 A a) 


eo) eee Boe eae Theorem statement 
3.b B ^na=>an ane aN By a dco) = Intro, line 3.a 
3.c (GB haan BB) Anla nB) AIntro, lines 2,1 
3.d a(B A a) =>Elim, lines 3.b,3.c 


More examples 


Now let's use these rules in a couple larger proofs, to show some more interesting results. 


Example: 

Let's redo the first example's proof formally and show H-has-2 ^A J-safe + G-unsafe. The inference rules we 
used informally above don't correspond exactly to those in our definition, so the formal proof is more 
complicated. 


1 H-has-2 => P-unsafe ^A G-unsafe V J-unsafe ^A P-unsafe V G-unsafe ^ J-unsafe 
2 H-has-2 ^ J-safe 

8 H-has-2 

4 P-unsafe ^A G-unsafe V J-unsafe ^A P-unsafe V G-unsafe ^ J-unsafe 

5 J-safe 

6 J-safe > —J-unsafe 


7 —=J-unsafe 


8 subproof:G-unsafe ^ J-unsafe | false 


Pre! 

8.a G-unsafe ^ J-unsafe for 
sub 
AE. 

8.b J-unsafe (rig 
line 
fals 

8.c false ny 
line 
7,8. 

9 —(G-unsafe ^ J-unsafe) 

10 P-unsafe ^A G-unsafe V J-unsafe ^A P-unsafe 

11 subproof:J-unsafe ^A P-unsafel false 
Pre} 

11.a J-unsafe ^A P-unsafe for 
sub 
AE. 

11.b J-unsafe (lef 
line 
fals 

11.c false ny 
line 
HA 

12 —(J-unsafe ^ P-unsafe) 

13 P-unsafe ^A G-unsafe 

14 G-unsafe 


Wow! This formalization is a lot longer than the original informal proof. That's a result of the particular set of 
inference rules we are using, that we can only make inferences in small steps. Also, here we were pickier about the 
distinction between "not safe" and "unsafe". 


Example: 

The previous example is a perfect candidate for adding structure to the proof by using additional subproofs. The 
following is more similar to the original informal proof. 

Note also that subproofs can have their own subproofs. 


1 H-has-2 => P-unsafe ^A G-unsafe V J-unsafe ^ P-unsafe V G-unsafe ^ J-unsafe 
2 subproof: H-has-2 

2.a H-has-2 ^A J-safe 

2.b H-has-2 

3 P-unsafe ^A G-unsafe V J-unsafe ^A P-unsafe V G-unsafe ^ J-unsafe 
4 subproof:+ —J-unsafe 

4.a H-has-2 ^A J-safe 

4.b J-safe 

4.c J-safe > —J-unsafe 

Ad —J-unsafe 

5 subproof:+ P-unsafe ^A G-unsafe 

5.a subproof:G-unsafe ^ J-unsafe| false 

5.a.i G-unsafe ^ J-unsafe 

5.a.ii J-unsafe 


5.a.iii false ip 
lir 
4, 

5.b —=(G-unsafe ^ J-unsafe) 

5.c P-unsafe ^A G-unsafe V J-unsafe ^A P-unsafe 

5.d subproof:J-unsafe ^A P-unsafe | false 
Pr 

5.d.i J-unsafe ^A P-unsafe fo 
su 
N. 

5.d.ii J-unsafe (Ie 
lir 
g. 
fa 

5.d.iii false in 
lir 
4, 

5.e —(J-unsafe ^A P-unsafe) 

5.f P-unsafe ^A G-unsafe 

6 G-unsafe 


A standard way of presenting proofs is by using lemmas to show parts of the proofs. Lemmas are simply formulas 
which we prove not as an end result, but as intermediate steps in a larger proof. So, they are simply another way of 
presenting subproofs. 


Example: 


Example WaterWorld board 


Consider the above figure. We'll show B-has-1 ^A G-has-1 ^A J-has-1 + K-unsafe. We'll do this through the 
following series of lemmas: 


Lemma A: —A-unsafe,G-has-1 | H-unsafe 
Lemma B: —A-unsafe,B-has-1 | C-unsafe 
Lemma C: H-unsafe,C-unsafe,J-has-1 + false 
Lemma D: A-unsafe,B-has-1 | C-safe 
Lemma E: A-unsafe,G-has-1 | H-safe 
Lemma F: C-safe,H-safe,J-has-1 + K-unsafe 


First, we'll show the main proof, assuming each of the lemmas. Then, proofs of each of the lemmas will follow. 


il B-has-1 ^A G-has-1 ^ J-has-1 Premise 

2 B-has-1 AElim (left), line 1 
3 G-has-1 ^A J-has-1 AElim (right), line 1 
4 G-has-1 AElim (left), line 3 
5 J-has-1 AElim (right), line 3 
6 subproof:=A-unsafe | false 

6.a ~A-unsafe Premise for subproof 

6.b H-unsafe Lemma A, lines 6.a,4 

6.c C-unsafe Lemma B, lines 6.a,2 


6.d false Lemma C, lines 6.b,6.c,5 
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A-unsafe 
C-safe 
H-safe 


K-unsafe 


RAA, line 6 
Lemma D, lines 7,2 
Lemma E, lines 7,3 


Lemma F, lines 8,9,5 


And that's the desired proof! Now it just remains to show each of the six lemmas. 
Lemma A: —A-unsafe,G-has-1 | H-unsafe 


—=A-unsafe 
G-has-1 


subproof:A-unsafe ^A H-safe | false 


A-unsafe ^ H-safe 


A-unsafe 
false 
—(A-unsafe ^A H-safe) 
G-has-1 = A-safe ^A H-unsafe V A-unsafe ^A H-safe 


A-safe A H-unsafe V A-unsafe ^A H-safe 


A-unsafe ^A H-safe V A-safe A H-unsafe 


A-safe ^A H-unsafe 


H-unsafe 


Lemma B: —A-unsafe,B-has-1 | C-unsafe 


Premise 
Premise 

Premise 

for 

subproof 

AElim 

falselntro, 

lines 1,3b 
RAA, line 3 
WaterWorld 
axiom 


=Elim, lines 5,2 


Theorem: V 
commutes, line 
6 

CaseElim, lines 
4,7 

AElim (right), 
line 8 


1 =A-unsafe Premise 


2 B-has-1 Premise 
3 subproof:A-unsafe ^A C-safe H false 
Premise 
3.a A-unsafe ^A C-safe for 
subproof 
AElim 
3.b A-unsafe (left), line 
3a 
falselIntro, 
3.c false lines 1,3b 
4 —(A-unsafe ^ C-safe) RAA, line 3 
5 B-has-1 => A-safe ^A C-unsafe V A-unsafe ^A C-safe MWaterWorld 
axiom 
6 A-safe ^A C-unsafe V A-unsafe ^A C-safe >Elim, lines 5,2 
7 A-unsafe ^A C-safe V A-safe ^A C-unsafe Teor Y 


commutes, line 6 


CaseElim, lines 


8 A-safe ^A C-unsafe 4,7 
9 C-unsafe E S 
line 8 


Proving the other lemmas is left as an exercise to the reader. 


Note that we took a little shortcut: we used the lemmas as if they were inference rules. According to our previous 
definition of proofs, we technically should present the lemma as a subproof and then use an inference rule or two 
to show how that applies, as we've done in previous examples. This shorter form is common practice and much 
easier to read. 


In summary, we must state one of the following four possible reasons for each step in a proof, allowing subproofs. 


e This step's WFF is a premise. 

e This step's WFF is an axiom. 

e This step's WFF follows from a inference rule applied to previous steps' WFFs. The reason includes a 
statement of which inference rule is used and how. 

e This step's WFF follows from a subproof, where that subproof may temporarily introduces additional 
premises. The reason includes the entire subproof. When that subproof has been shown elsewhere, such as in 
class or another exercise, it may simply be cited, for brevity. Of course, subproofs may have additional 
embedded subproofs, in turn. 


Technically, when using subproofs, one must be careful to rename variables, to avoid clashes. Rather than 
formalize this notion, we'll leave it as "obvious". 


Propositional Logic: soundness and completeness revisited 


"The folly of mistaking a paradox for a discovery, a metaphor for a proof, a 
torrent of verbiage for a spring of capital truths, and oneself for an oracle, is 
inborn in us. — Paul Valery, poet and philosopher (1871-1945)" 


Throughout this discussion, we've implicitly assumed that if we've proven 
something, it must be true. But we should be careful: What if one of those 
listed inference rule isn't always valid? What if we introduced a new rule? 
(Sure, you'd probably balk if we proposed something silly like , 
or even more degenerately . But what about some more reasonable- 
sounding rule?) What if our new rule introduces an inconsistency, when 
combined with the other rules in a some complicated way? In fact, are we 
absolutely certain that this can't already happen with the inference rules we 
have?! This brings us back to the questions of soundness and completeness 
of a proof system. Fortunately, the system presented here is both sound and 
complete (though proving this is beyond our current scope). However, we 
can rest assured, that for propositional logic, what we can prove really does 
correspond entirely to what is true. 

Exercise: 


Problem: 


If we omitted the RAA inference rule, would this new system be 
sound? Would it be complete? 


Solution: 


It would be sound: Look at all the possible proofs that can be made in 
the original system; all those proofs lead to true conclusions (since that 
original system is sound, as we're claiming). If we just discard all those 
that include RAA, the remaining proofs are still all true, so the smaller 
system is sound. 


It would not be complete, though: As pointed out, RAA is our only 
way to prove negations without premises. There are negated formulas 
that are true (and have no premises) — for example . Without 


RAA, we cannot provide a proof of , so the smaller system is 
incomplete. 


Propositional Logic: type checking 


Proofs and programming 


Proofs are organized a lot like programs. Based on some premises (inputs), 
we obtain some conclusion (output) after using a series of inference rules 
(basic computation like addition and other operations). Using subproofs, 
especially when citing previous proofs, is just like organizing our program 
into functions that can be used many times. 


Naturally, since using inference rules is not only how people prove things, 
but also computers. A clear example is in type checking. The core idea of 
type checking a function application is “If function f takes an argument of 
type a and producing an output of type 8, and expression exp is of type a, 
then f (exp) is of type 8.” This type rule closely resembles = Elim: “If a 
proven formula is a = b and other proven formula is a, then together, b is a 
proven formula.” Furthermore, this similarity is highlighted by notation in 
many programming languages which would write the type of f asa > £. 
Type rules are simply inference rules for proving results about the types of 
programs, and in most typical programming languages these rules closely 
correspond to those we are using for logic. This correspondence is known 
as the Curry-Howard Isomorphism. 


As with logic, we want type checkers to be sound and complete. Soundness 
here means that if the program passes type checking, when we execute the 
program (or single function) and get a value, that value is of the stated type. 
In other words, if our program type checks, then we are guaranteed that 
some kinds of errors will not happen at run-time. That also means that if our 
program would have a run-time type error, the type checker will correctly 
report that our program is erroneous. Completeness here means that if we 
execute the program (or single function) and get a value of a certain type, 
then our type checker indeed tells us that type. 


Note that type checking is still an area of active research, since the job is 
made difficult in the presence of language features such as inheritance, 

multiple inheritance, dynamic class loading, etc. When people introduce 
new computer languages with new features, and want to claim that their 


new language is type safe (that no function ever will be applied to the 
wrong type at run-time), then the paper which introduces the language will 
contain such a proof. 


Propositional Logic: conclusions 


Are we done yet? 


These inference rules may seem limited, and you may have some more 
general ones in mind. Soon, we'll see additional inference rules in the 
context of first-order logic, which will give us a richer set of proofs. In 
general, a hard problem is finding a language that is both expressive enough 
to describe the domain succinctly, but also limited enough to automate 
reasoning. This is a very practical issue in type checking and other program 
analysis. While it can be easy to find some program errors automatically, it 
is very difficult or impossible to guarantee that you can find all errors (of 
some specific kind, like type errors). 


One thing we would like to eliminate is the need (at least technically) to 
restate structurally identical proofs, as discussed for commutativity. We will 
be able to add the idea of generalizing such proofs directly into the logic 
and inference rules. 


Despite the desire for more flexible reasoning, we'd also like to consider 
whether we have more inference rules than are necessary. Are some of them 
redundant? This is similar to the software rule that we should have a single 
point of control, or the similar idea that libraries should provide exactly one 
way of doing something. In general, this is not easy to ensure. We have 
shown that some potential additional inference rules, like commutativity 
and associativity, weren't necessary. But we haven't shown our core 
inference rules to be minimal. What do you think? (See the homework 
exercise problems on the redundancy of not-elimination, not-introduction, 
and case-elimination, ) 


Distinctness of the approaches (optional) 


You might be wondering — can we use propositional equivalences as 
axioms when using inference rules? The short answer is no. First, Boolean 
equivalences are pairs of formulas, whereas axioms are individual 
formulas. Second, none of our inference rules mention equivalences. 


However, let's reword the question — could we use propositional 
equivalences when using inference rules? It would make sense to add an 
inference rule to allow this. One possibility would be an inference rule that 
turns an equivalence into an implication: “if we know y = p, then we 
know y => vw.” Another possibility would be an inference rule that allows 
us to substitute equivalence subterms, as we do in equivalence proofs: “if 
we know y = wand 9, then we know 6/y+> 7, i.e., 0, except with 
instances of y replaced by w.” With either, we would also have to allow 
equivalence proofs as subproofs or lemmas in inference proofs. 


Traditionally, and in our presentation, we do not combine equivalences and 
inference rules in any such way. The disadvantage of combining them is 
that instead of two relatively simple proof systems, you would have one 
more complicated proof system. It would be harder to learn all that you 
could do in such a system, and for theorists, it would be harder to prove 
things such as soundness and completeness for the combined system. In 
learning and describing proofs, it is best to keep them separate. However, 
the advantage would be shorter proofs. When using the combined system, 
you'd have flexibility to use whichever technique suited the current step 
best. In practice, people commonly combine these and other proof 
techniques. 


Exercises for Propositional Logic I 
Problems on propositional logic, including truth-tables, boolean algebra, 
and inference rules. 


Please write logic formulas using the syntax previously defined, using false 
(or for brevity, "F"), true (or "T"), =, A, V, and =. Except where directed, 
use only these connectives. 


Note: You can download WaterWorld if you like. At Rice University, 
WaterWorld is installed on OwlNet, in 
/home/comp280/bin/waterwor ld. 


Propositional Logic 


Exercise: 


Problem:([Practice problem—solution provided. ] 


Your friend Tracy argues: " It is bad to be depressed. Watching the 
news makes me feel depressed. Thus, it's good to avoid watching the 
news. " 


Regardless of whether the premises and conclusion are true, show that 
the argument is not, by showing it doesn't hold for all domains. 
Replace "depressed" and "watching news" with expressions which 
leave the premises true, but the conclusion false (or at least, what most 
reasonable people would consider false). 


Solution: 


Lots of possible counterexamples. " It is bad to be depressed. Doing 
homework makes me depressed; so it's good to not do my homework. 
" Or, " It is bad for people to be in physical pain. Childbirth causes 
pain. Therefore childbirth needs be avoided by all people. " If the 


original conclusion is really correct, Tracy needs to elucidate some of 
his unspoken assumptions. 


The flaw seems to be along the lines of, " avoiding bad in the short run 
may not always be good in the long run " (or equivalently, sometimes 
you have to choose the lesser of two evils). No, you weren't asked to 
name a specific flaw, and reasonable people can differ on precisely 
what the flaw is. (And, formal logic is not particularly helpful here.) 
Nonetheless, uncovering hidden assumptions in arguments often helps 
understand the real issues involved. 


Note: For fun, pick up the front page of the daily newspaper, and see 
how many arguments use faulty rules of inference and/or rely on 
unspoken premises (which not all might agree with). In particular, 
political issues as spun to the mainstream press are often riddled with 
error, even though there are usually reasonable arguments on both 
sides which policy-makers and courts debate. 


Exercise: 


Problem:([Practice problem—solution provided. ] 


An acquaintance says the following to you: " Chris claims knowledge 
is more important than grades. But she spent yesterday doing an extra- 
credit assignment which she already knew how to do. Therefore, she's 
a hypocrite and deserves no respect. " 


Regardless of whether the premises and conclusion are true, show that 
the argument is not, by showing it doesn't hold for all domains. 
Replace "knowledge" and "grades" with expressions which give you 
true premises, but a false conclusion (or at least, what most reasonable 
people would consider false). 


Note: Exaggerate "knowledge" to something more important, and 
"grades" to something less important. 


Solution: 


" Terry claims that encouraging human-rights is more important than 
playing Tetris. But Terry played Tetris yesterday rather than 
volunteering with Amnesty International. " Most people wouldn't 
condemn Terry as a hypocrite just because of this; even the most 
dedicated of people are entitled to some free time. If your friend wants 
to prove Terry hypocritical, they'll have to provide further evidence or 
arguments. 


Or similarly, " Politician X claims to support science funding, but 
voted against a proposal to shift all Medicare funds to NASA. " 


Exercise: 


Problem:([Practice problem—solution provided. ] 


While the following argument may sound plausible initially, give a 
particular situation where the conclusion doesn't hold (even though the 
premises do). Then, in a sentence or two, sketch why your 
counterexample may still represent rational behavior by pointing out a 
real-world subtlety that the initial argument ignored. 


If a certain outfit meets a dress code, then per force all less- 
1. revealing outfits also meet that dress code. 


In public transportation projects, out of two alternatives, the 
2. cheaper one which gets the job done is the better choice. 


Solution: 


1. It can be socially acceptable to wear my swimsuit into a fast-food 
restaurant. My underwear is less revealing than my swimsuit, and 
yet it would still raise many more eyebrows to go to that 
restaurant in my underwear, than my swimsuit. 


Clothes (and style in general) somehow encompass a form of 
communication, and people may object to an outfit's mood or 
message without actually objecting to how much the outfit 
reveals. (Other examples of communication-through-style include 
team logos, t-shirts with humorous slogans, and arm bands.) 


2. Buses are a lot cheaper than light rail. Yet, the light-rail here in 
Houston demonstrates that many people who wouldn't routinely 
take a bus are willing to take light rail. (Only after we recognize 
this, can we try to figure out what why the difference exists, and 
then brainstorm to find a better overall solution.) 


Exercise: 


Problem: 


Choose just one of the following informal arguments. While the 
argument sounds plausible initially, give a particular situation where 
the conclusion doesn't hold (even though the premises do). Then, 
briefly state why your counterexample may still represent rational 
behavior by pointing out a real-world subtlety that the initial argument 
ignored. 


[cell phone] Talking on a cell phone while driving increases the 

likelihood of an accident. Interestingly, hands-free phones do not 

significantly help. It's just the distraction of a phone conversation 
1. that causes the problem. 


[equivalent products] If two companies offer two materially 
equivalent products, then most everybody will buy the cheaper 
2. one. 


[service] In a free market, if a company doesn't offer good 
service, individual customers will become fed up and take their 
3. business elsewhere. 


[web browser] If there are two versions of a free web browser, 
and they run equally quickly, users will use the one with better 
4. features/interface. 


[door-locking] Anybody who really wants to break into your 
house while you're gone will be able to. (For instance, using a 
towel to muffle sound, break the comer of a back window, reach 
in and unlatch the window, and climb through.) So there's no 

5. point in locking your front door. 


Exercise: 


Problem:([Practice problem—solution provided. ] 
Let p, q, and r be the following propositions: 


e p: You get an A on the final exam 
e q: You do every exercise in the book. 
e r: You get an A in this class. 


Write the following formulas using p, g, and r and logical connectives. 
You get an A in this class, but you do not do every exercise in the 
1. book. 


To get an A in this class, it is necessary for you to get an A on the 
2. final. 


Getting an A on the final and doing every exercise in the book is 
3. sufficient for getting an A in this class. 


Solution: 
Lr A mg 
2° >p 


Think of the English being reworded to " If you got an A in this 
class, you must have gotten an A on the final. " 


3p gr 
Exercise: 
Problem: 


Translate the following English sentences into propositional logic. 
Your answers should be WFEs. 


1. If the Astros win the series ("AW"), then pigs will fly ("PF"). 
2. Pigs will not fly, and/or bacon will be free ("BF"). 


3. The Astros will win the series, or bacon will be free, but not both. 
Exercise: 


Problem:[|Practice problem—solution provided.] 

It just so happens that all the web pages in Logiconia which contain 
the word "Poppins" also contain the word "Mary". Write a formula (a 
query) expressing this. Use the proposition Poppins to represent the 
concept "the web page contains 'Poppins'" (and similar for Mary). 


Solution: 


Poppins => Mary 


Exercise: 


Problem: 


e If a Logicanian page contains the word "weasel", then it also 
contains either "words" or "eyed"; and 

e Whenever a Logiconian page contains the word "mongoose", it 
does not also contain the word "weasel"; and 

e Finally, all Logiconian pages contain the word "Logiconia", rather 
patriotically. 


Write a formula expressing all this. (Your formula will involve five 
propositions: weasel, words, ... Try to find a formula which mirrors 
the wording of the English above.) 


Given the above statements, if a web page in Logiconia does not 
contain "weasel", does it contain "mongoose"? 


Let's go meta for a moment: Is this web page Logiconian? (Yes, this 
one you're looking at now, the one with the homework problems.) 
Explain why or why not. 


Exercise: 
Problem: 


Different search engines on the web have their own syntax for 
specifying searches. 


Note: Note that a formula may be true for some web pages, and false 
for others. The search engine is concerned with finding all web pages 
which satisfy the formula. This is called a query, in database lingo. 


Only_a few allow full Boolean queries. Some interpret a list of several 
words in a row as an implicit conjunction, others as an implicit 


disjunctions. 


Read about the search syntax for the search language of eBay®. 

Write an eBay query for auctions which contain "border", do not 

contain "common", and contain at least one of "foreign" or 

"foriegn" [sic, misspellings are a great way to find underexposed 
1. auctions]. 


Google£'s advanced search is typical for the online search 

engines. In particular, you can search for results containing all of 

a, b, ..., at least one of c, d, ..., and none of e, f, .... Describe 
2. how that corresponds to a Boolean formula. 


Give an example of a Boolean formula which cannot be rewritten 
3. to conform to Google's advanced search interface. 


Exercise: 


Problem:([Practice problem—solution provided. ] 


[e] WaterWorld 


Game Help 


Pirates left: 5 Ratio: 45% 


A sample WaterWorld board 


Consider the particular board shown in the above figure. 


Y-safe, Y-has-0, and —Y-has-2 are among the formulas which 
are true for this board but not for all boards. That is, they are 
neither domain axioms nor tautologies. Give two other such 

1. formulas. 


V-safe might or might not be true for this board. Give two other 
2. such formulas. 


Solution: 
1. There are many simple answers, such as Y-has-1, ~W-has-1, ... 
2. There are many simple answers, such as a, N-has-1, J-has-3, .. 
For each, there are also many such formulas composed with 
connectives such as A and V. 
Exercise: 
Problem: 
In that same board, is location W safe? What is your informal 
reasoning? (List all your small steps.) Similarly for location P. 
Exercise: 
Problem: 
Give a domain axiom of WaterWorld which was omitted in the ellipses 
in the WaterWorld domain axioms. 
Exercise: 
Problem: 
Even allowing for ellision, the list of WaterWorld domain axioms is 
incomplete, in a sense. The game reports how many pirates exist in 


total, but that global information is not reflected in the propositions or 
axioms. 


First, assume we only use the default WaterWorld board size and 
number of pirates, i.e., five. Give samples of the additional axioms that 
we need. 


Next, generalize your answer to model the program's ability to play the 
game with a different number of pirates. 


Exercise: 


Problem: Give one WFF which meets all three conditions: 


e true in all WaterWorld boards ("A theorem of WaterWorld") 

e not already listed as one of the WaterWorld domain axioms, and 

e not a tautology of propositional logic (can be made false in some 
truth assignment, though it may not be a truth assignment which 
satisfies the waterworld axioms). 


Reasoning with Truth Tables 


When writing truth tables, please list rows in the order used in all examples: 
FF, FT, TF, TT. For three-input tables, use the above four lines preceded by 
F, then the above four lines preceded by T. 

Exercise: 


Problem: 
In a truth table for two inputs, provide a column for each of the sixteen 


possible distinct functions. Give a small formula for each of these 
functions. 


Note: These functions will include those for A, V, and the other 
connectives whose truth tables you've already seen. 


Exercise: 


Problem:([Practice problem—solution provided. ] 


Write the truth table for xnor, the negation of exclusive-or, What is a 
more common name for this Boolean function? 


Solution: 


p Y% p xnor 4% 
false false true 
false true false 
true false false 
true true true 


Truth table for xnor 


This is the "equals" for Booleans. It is also represented by the 
connective if-and-only-if. 


If you said something like "the both-or-neither function", that's not 
quite good enough, as it's a roundabout way of expressing the simple 
idea of equivalence. Granted, it takes some practice to internalize 
Booleans as values, and that equality is as valid for them as for any 
other value. 


Exercise: 
Problem: 
How many years would it take to build a truth table for a formula with 


1000 propositions? Assume it takes 1 nanosecond to evaluate each 
formula. 


A formula with 1000 propositions clearly isn't something you would 
create by hand. However, such formulas easily arise when modeling 


the behavior of a program with a 1000-element data structure. 
Exercise: 


Problem: 
Use truth tables to answer each of the following. Showing whether the 
connectives obey such properties via truth tables is one way of 
establishing which equivalences or inference rules we should use. 

1. Show whether = is commutative. 

2. Show whether ® is commutative. 


3. Show whether ® is associative. 


Prove that A distributes over V: 
4y N(bVAI=PAYVGEA BO 


Note: This version is left-distributivity. Right-distributivity 
follows from this plus the commutativity of A. 


Prove that V distributes over A: 
5YVPAD=(HYVY) AY V 8) 


6. Show whether A or V distribute over >. 
7. Show whether = distributes over A or V. 
8. Show whether A or V distribute over @. 


9. Show whether ® distributes over A or V. 


Exercise: 
Problem: 


For each of the following, find a satisfying truth assignment, (values of 
the propositions which make the formula true), if any exists. 


Exercise: 
Problem: 


For each of the following, find a falsifying truth assignment, (values of 
the propositions which make the formula false), if any exists. 


1. (a=b) Va 
2.(-b=>(a>c)) Vad b 


Exercise: 


Problem: 


Formula ¢ is stronger than formula w if ~ is true whenever g is true 
(i.e., y is at least a strong as 7), but not conversely. Equivalently, this 
means that y = wy is always true, but Y = ¢ is not always true. 


As one important use of this concept, if we know that Y% => 0, and that 
y is stronger than w, then we also know that y = 0. That holds simply 
by transitivity. Another important use, which is outside the scope of 
this module, is the idea of strengthening an inductive hypothesis. 


Similarly, y is weaker than formula ~ whenever W is stronger than y. 


Show which of the following hold. When true, show y = w is true by 
a truth table, and show a falsifying truth assignment for Y = p. When 
false, give a truth table and truth assignment the other way around. 


1.a A bis stronger thana V b. 
2.a V bis stronger than a. 
3. a is stronger than a => b. 


4. bis stronger than a => b. 


Exercise: 


Problem: 


Using truth tables, show that (a V c) A (b= c) A (c= a) is 
equivalent to (b = c) / a. but not equivalent to 
lav e) Aa {oS <0) 


Exercise: 


Problem:[Practice problem—solution provided. | 


When writing a complicated conditional that involves multiple pieces 
of data, it is easy to incorrectly oversimplify. One strategy for avoid 
mistakes is to write such code in a two-step process. First, write a 
conditional with a case for every possible combination, as in a truth 
table. Second, simplify the conditional. 


Using this approach, we might obtain the following code after the first 
step. Simplify this code. 


list merge_sorted_lists(list list1, list list2) 


if (is_empty(list1) && is_empty(list2)) 
return empty_list; 
else if (is_empty(list1) && 
lis empty(list2) ) 
return list2; 


else if (!1is_empty(list1) && 
is_empty(list2) ) 
return list1; 
else if (!1is_empty(list1) && 
lis empty(list2)) { 
if (first_element(list1) < 
first_element(list2) ) 
return make_list(first_element(list1), 


merge_sorted_lists(rest_elements(list1),list2) ) 


else if (first_element(list1) >= 
first_element(list2) ) 
return make_list(first_element(list2), 


merge_sorted_lists(listi, rest_elements(list2) )) 


T 


} 
} 
Solution: 


list merge_sorted_lists(list listi, list list2) 


if (is_empty(list1) ) 

return list2; 
else if (is_empty(list2) ) 

return list1; 
else { 

if (first_element(list1i) < 

first_element(list2) ) 
return make_list(first_element(list1), 


merge_sorted_lists(rest_elements(list1),list2) ) 


else 
return make_list(first_element(list2), 


merge_sorted_lists(listi, rest_elements(list2) ) ) 


} 


1 


} 


Alternatively, we could test the emptiness of the lists in the other order. 
Exercise: 


Problem: 


Consider the following conditional code, which returns a boolean 
value. 


int i; 
bool a,b; 


if (a && (i > 0)) 
return b; 

else if (a && 1 <= 0) 
return false; 

else if (a || b) 
return a; 

else 
return (i > 0); 


Simplify it by filling in the following blank with a single Boolean 
expression. Do not use a conditional (such as if or ?:). 


int 1; 
bool a,b; 


return 7 


Use either Java/C++ or Scheme syntax. In the former case, please fully 
parenthesize to make your formula unambiguous, rather than relying 
on Java's or C++'s many levels of operator precedence. 


Reasoning with Equivalences 


Exercise: 


Problem:[|Practice problem—solution provided.] 


Using algebraic identities, and the definition or nor (mnemonic: "not 
or"), written |, y | Y =~ (y V p), express the function A in terms 
of | only. That is, give a formula which doesn't use A, V, ~, but 
instead only uses | and which has the same truth table as y ^ w. 


Solution: 


First we show that we can write negation in terms of |, or more 
specifically, -@ = 0 | 0. Checking this on a truth table is pretty easy 
(there are only two rows to check). But for this question we need to 
use algebraic manipulation. This can be derived in a couple of simple 
steps: 


2 =-6 A -0 Idempotency of A 
3 =-(6 v 8) DeMorgan's law 
4 =0 0 Definition of nor 


We use this lemma to show our ultimate goal: 


1 dA€ 

2 =~ (ő A £) Double Complementation 
3 =-(-=6 V 76) DeMorgan's law 

4 =-((d | 6) V ~£) Lemma, with [0-36] 

5 =.((6 | 6) v (eLe)) Lemma, with 0 = € 

6 Ae ue Definition of nor, where 


yp=dld,andw=ele 


Note that we judiciously used new meta-variables ô and € rather than 
re-using y and w (which would still be correct, but would make the 
graders need to pay much closer attention to the scope of those 
variables). 


Exercise: 


Problem: 


Similar to the previous exercise, express each of the following using 
nand only, and prove correctness using the algebraic identities. 


This operation is particularly interesting, since making a NAND gate 
in hardware requires only two transistors. 


2 ie 
< >l 


Exercise: 


Problem: 


Using algebraic identities, show that 
(a V ce) A (b= c) A (e > a) is equivalent to (b => c) A a. 


This is an algebraic hand-evaluation: a series of formulas joined by =. 
Don't write just portions of previous formulas and mysteriously re- 
introduce the dropped parts later. For each step, mention which 
identity you used. It is also helpful if you underline the formula you 
are rewriting in the next step. You can use commutativity and 
associativity without using a separate line, but mention when you use 
it. 


Exercise: 
Problem: 


In two exercises, you've shown the same equivalence by truth tables 
and by algebraic identities. 


What is an advantage of using truth tables? What is an advantage 
1. of using identities? 


In that truth table exercise, you also showed two formulas y and 
w non-equivalent. It is also possible to do so with Boolean 
2. algebra rather than truth tables. How? 


Describe a hybrid approach, combining truth tables and Boolean 
algebra, to prove the equivalence and non-equivalence of 
3. formulas. 


To ponder on your own without turning it in: Which approach 
4. appeals more to you? 


Exercise: 
Problem: 


Using algebraic identities, rewrite the formula (a = b V c) A —bto 
one with fewer connectives. 


Exercises for Propositional Logic II 


Reasoning with Inference Rules 


For proofs on this homework, remember that each step must be justified by one of the following: 


e 


a premise, 

a WaterWorld axioms, 

a listed inference rule with the referenced line numbers (and, if ambiguous, substitutions for the inference 
rule's meta-variables), or 

a subproof shown inline, or equivalently, a theorem/lemma shown previously. 


Except where otherwise directed, you may use any theorem shown in the text or by a previous exercise, even if 
that exercise was not assigned. 
Exercise: 


Problem: Fill in the blank reasons in the following proof that V commutes, that is, x V vF v V x. 


1 x Vu Premise 
2 subproof:y ku V x 
2.a x Premise for subproof 
2.b vuVXx VIntro, line 2.a 
3 subproof:u- v V x 
3.a v Premise for subproof 
3.b vuV Xx 
4 vuV Xx 
Exercise: 


Problem: Show that y A Y, => 04 >8F0 A 6. 


Note: It should take around 8 steps. 


Exercise: 


Problem: Show what is often called the implication chain rule: y > ~,y > 0 F yp > 80. 


Exercise: 


Problem:| Practice problem—solution provided. ] 


Show what is often called negated-or-elimination (left): = (y V Y) F 7. 


Note: Think backwards. How can we end with ~y? One way is to end with RAA, under the premise y. 
Using that premise ¢ and the starting premise — (p V p) can you derive the contradiction? 


Solution: 
1 a(y V y) Premise 
2 subproof:y F false 
2.a p Premise for subproof 
2.b (ORAVA) v Intro, line 2a 
2.c false falseIntro, lines 1,2b 
3 ay RAA, line 2 
Exercise: 


Problem: Using the inference rule RAA, prove ~y F = (p A Ww). 


Exercise: 


Problem: Show that ~W-safe V —Y-unsafe | W-unsafe V Y-safe. 


Note: The proof is a bit longer than you might expect. Use the VElim inference rule to get the final result. 


Exercise: 


Problem: 


In our inference rules, unlike our equivalences, we chose to not include any corresponding to distributivity. 


1. Prove a left-hand version of one direction of distributivity: p A (Y V OFE APV enG. 


Use the previous part's result, plus A's commutativity to prove the corresponding right-hand version: 
2y VAVApEYAGVOAA yg. 


Exercise: 


Problem: 


In our inference rules, unlike our equivalences, we chose to not include any corresponding to DeMorgan's 
Law. Show that each of the following versions is still provable. 


ly V yka A w) 
2. = (p V pb =p A 7 
3p A prale V =) 
4Aa(p A oF 7g V ay 


Exercise: 


Problem: 


The above exercise suggests that it would be useful to have an inference rule or theorem that says given 
9+ —6, then = + 6. Or, equivalently, because of =Intro and Elim, 0 = —é F —~0 => 6. Why don't we? 


Exercise: 


Problem: 


In our inference rules, unlike our equivalences, we have nothing that directly equates y => y% and ~y V 4. 
Prove each of the following. 


ly=svr-wy V y 
2p V yYyFge=>y 


Exercise: 


Problem: Prove the following: y > Yyy > pF p Ap V nagy A AW 


Exercise: 


Problem: Prove what is commonly called the Law of Excluded Middle: F y V >x. 


Give a short proof citing our previous proof of = — (x ^ —x) and the relevant version of DeMorgan's 
1. Law from above. 


2. Give a direct version without using previous theorems. 


Note: Use RAA two or three times. 


Exercise: 


Problem: 


Prove the missing steps and reasons in the following WaterWorld proof of 
X-has-1 + W-unsafe V Y-unsafe. 


5.b 


5.d 


Exercise: 


X-has-1 


subproof:W-safe ^A Y-unsafe W-unsafe V Y-unsafe 
W-safe ^A Y-unsafe Premise for subproof 


Y-unsafe 


W-unsafe V Y-unsafe 


subproof:— (W-safe ^A Y-unsafe) į W-unsafe V Y-unsafe 
—=(W-safe ^A Y-unsafe) Premise for subproof 


CaseE lim (left), lines 


W-unsafe ^A Y-safe 


W-unsafe V Y-unsafe 


W-safe ^A Y-unsafe V —(W-safe ^A Y-unsafe) 


W-unsafe V Y-unsafe 


Problem:| Practice problem—solution provided. ] 


[8] WaterWorld 


Game Help 


Pirates left: 5 Ratio: 45% 


A sample WaterWorld board 


Given the above figure, and using any of the immediately obvious facts as premises, prove that location P is 
safe by using our proof system and the WaterWorld axioms. 


While this proof is longer (over two dozen steps), it's not too bad when sub-proofs are used appropriately. To 
make life easier, you may use the following theorem: 

Q-has-1 = P-safe ^A R-safe V P-safe A W-safe V R-safe A W-safe, along with any proven 
previously. When looking at the given board, you can use premises like Y-safe as well as ~Y-unsafe. 


Solution: 
1 Q-has-1 
2 X-has-1 
3 7Y-unsafe 
4 W-unsafe V Y-unsafe 


5 Y-unsafe V W-unsafe 


6 W-unsafe 


7 subproof:—— (P-safe A W-safe) H false 
Premise for 
7.a ~~ (P-safe A W-safe) 
subproof 
7.b P-safe A W-safe Sid line 
7e W-safe AElim, line 
; 7.b 
7.d W-safe => =W-unsafe Waterworld 
axiom 
=>Elim, 
ve 7W-unsafe lines 7.c,7.d 
falseIntro, 
a false lines 6,7.e 
8 —=(P-safe A W-safe) 
9 subproof:—— (R-safe ^A W-safe) | false 
Premise for 
9.a = (R-safe A W-safe) 
subproof 
9.b R-safe A W-safe ae line 
9c W-safe AElim, line 
; 9.b 
9.d W-safe => =W-unsafe ET 
axiom 
=>Elim, 
ae 7W-unsafe lines 9.c,9.d 
falselntro, 
a false lines 6,9.e 


10 —=(R-safe A W-safe) 


11 Q-has-1 = P-safe ^A R-safe V P-safe A W-safe V R-safe A W-safe 


12 P-safe A R-safe V P-safe A W-safe V R-safe A W-safe 


13 R-safe A W-safe V P-safe A R-safe V P-safe A W-safe 


14 P-safe A R-safe V P-safe A W-safe 


15 P-safe A W-safe V P-safe A R-safe 


16 P-safe A R-safe 


17 P-safe 


Alternatively, the subproofs could easily have been pulled out into lemmas. Just like using subroutines in a 
program, that would make the proof somewhat clearer, even though in this case each lemma would be used 
only once. 


Observe how the two subproofs have some identical lines (7.c-7.f and 9.c-9.f). It would be incorrect to 
replace those lines in the second subproof with a citation of the results of the first subproof. First, because the 
previous subproof had been completed, and moreover, the two subproofs have different premises. This is 
analogous to two subroutines that happen to have some identical code lines, even through they are called 
separately and have different parameters. 


Note: Interestingly, we didn't need to use R-safe as a premise. (In fact, we nearly proved that ~R-safe 
would have been inconsistent with the other premises.) 


Exercise: 


Problem: 


Starting from the WaterWorld axiom 

Q-has-1 = P-safe ^A R-safe A W-unsafe V P-safe A R-unsafe A W-safe V P-unsafe ^A R-safe / 
, we could prove the following theorem cited in the previous problem: 

Q-has-1 = P-safe ^A R-safe V P-safe A W-safe V R-safe A W-safe. 


Prove the following theorem which is slightly simpler: p > Yy A OV 6dAcecrFysWV 6. 


Note: If you have trouble, first prove an even simpler version: Y > Y A 0F p= w. 


Exercise: 


Problem:| Practice problem—solution provided. ] 


Show that the =Elim inference rule is redundant in our system. In other words, without using ~Elim, prove 
that ~~g F y. 


Solution: 


1 a7 Premise 
2 subproof:—-y | false 

2.a ay Premise for subproof 

2.b false falseIntro, lines 1,2.a 


3 yp RAA, line 2 


Exercise: 


Problem: 


Show that the -Intro inference rule is redundant in our system. In other words, without using Intro, prove 
that y F ~~g. To make sure that you're not hiding any uses of Intro, also do not use any previous theorems. 


Exercise: 


Problem: 


Show that the CaseElim inference rule is redundant in our system. For brevity, we'll just consider the left- 
hand version. In other words, without using CaseElim, prove that y V %,=~ọ F w. To make sure that you're 
not hiding any uses of CaseElim, also do not use any previous theorems. 


Exercise: 


Problem: 


e State where on a board pirates could be positioned, so that: P-has-1 ^A U-has-1 ^A W-has-1, but 
X-safe. 

e Compare this with a previous theorem, B-has-1 ^A G-has-1 ^A J-has-1 => K-unsafe, the same idea 
shifted down a couple of rows. Suppose we try to translate this theorem's proof so as to conclude 
—+X-safe (clearly untrue, by the above). What is the first step of the modified proof which doesn't hold 
when B,G,J,K are mindlessly replaced with P,U,W,X, respectively? (Just give a line number; no 
explanation needed. Your answer will be of the form "Lemma A line 1" or "main proof line 2".) 

e We've just seen that the mindless changing of location-names introduces false steps. But we can be a 
little smarter, and modify the false step to get a formula which is true, and is also still in the spirit of the 
original proof. We can thus patch the problem from the previous part, and continue on modifying the 
original proof for several more steps. But clearly we can't translate the entire original proof; we 
eventually hit a more fundamental snag: a formula which isn't true, yet can't be patched up, either. What 
is the first line that can't be patched? (Again, just give a line number; no explanation needed. Your 
answer will be of the form "Lemma A line 1" or "main proof line 2".) 


Exercise: 


Problem: 


Which is worse, having an unsound (but complete) inference system or an incomplete (but sound) one? Why? 


Relations and Logic: using relations 


Relations: Building a better (representation of) WaterWorld 


So far, we have represented WaterWorld boards using propositions like 
A-has-2 and B-unsafe. You've probably already felt that this is unwieldy, 
having hundreds propositional variables running around, with only our 
naming convention implying any relation between them. Worse, this zoo of 
propositions doesn't reflect how we actually think about WaterWorld. For 
instance, the only way the rules recognize that locations A and B are near 
each other is because of several axioms which simultaneously involve 
A-has-2 and B-unsafe, etc., in just the right way to result in our idea of the 
concept “neighbor”. In fact, there is no way of talking about the location A 
directly; we only had propositions which dealt with its properties, such as 
whether or not it neighbored exactly two pirates. 


If writing a program about WaterWorld, our program should reflect our 
conception of the problem. However, as it stands, our conception 
corresponds to having many many Boolean variables named A-has-2, 
B-unsafe, etc. Even worse, the rules would be encodings of the hundreds 
of axioms. A long enumeration of the axioms is probably not how you 
think of the rules. In other words, when explaining the game to your friend, 
you probably say “if a location contains a 2, then two of its neighbors are 
pirates”, rather than droning on for half an hour about how “if location A 
contains a 2, then either location B is unsafe or ...”. 


Moreover, the original rules only pertained to a fixed-size board; inventing 
a new game played on a 50x50 grid would require a whole new set of rules! 
That is clearly not how we humans conceptualize the game! What we want, 
when discussing the rules, is a generic way to discussing neighboring 
locations, so that we can have one single rule, saying that if a (generic) 
location has a zero, then any neighboring location is safe. Thus, we allow 
the exact details of “neighboring location” to change from game to game as 
we play on different boards (just as which locations contain pirates changes 
from game to game). 


In a program, you'd probably represent the board as a collection (matrix, 
list, whatever) of Booleans. In our logic, to correspond to this data 
structure, we'll introduce binary relations. 


Note: By including relations (rather than sticking entirely with 
propositions), we are leaving the realm of propositional logic; we'll soon 
reach first-order logic once we also introduce quantifiers — 
corresponding to aspects of program control-flow (loops). 


We'll start by adding a way to express whether any two locations are 
adjacent: a relation nhbr, which will encode the board's geography as 
follows: nhbr (A, B) and nhbr (Z, Y) are true, while nhbr (A, D) and 
nhbr (M, Z) are false. 


What, exactly, do we mean by “relation”? We'll see momentarily, that we 
can represent nhbr as a set of pairs-of-locations (or equivalently, a function 
which takes in two locations, and returns either true or false.) 


This relation "nhbr" entirely encodes the board's geography. Giving 
somebody the relation is every bit as good as to showing them a picture of 
the board (in some ways, better — the relation makes it perfectly clear 
whether two locations which just barely touch at a single point, like B and 
G, are meant to be considered neighbors.) 

Exercise: 


Problem: 

We used a binary (two-input) relation to describe neighboring 
locations. How can we use a relation to capture the notion “location A 
is safe”? 


Solution: 


We'll use a unary (one-input) relation: safe(A) is true if and only if 
(“iff”) location A is safe. 


After defining relations and discussing their properties, we'll talk about 
interpreting logic formulas relative to particular relations. 


Using relations gives us additional flexibility in modeling our domain, so 
that our formal logical model more closely corresponds to our intuition. 
Relations help separate the WaterWorld domain axioms (code) from the 
data, i.e., the particular board we're playing on. 


properties of relations 
Relations are subsets. Binary relations might be reflexive, symmetric, antisymmetric, or 
transitive. 


When using relations in logic formulas, there are two things going on: 


e relations themselves, as mathematical entities, and 
e formulas involving symbols, which must be interpreted as specific relations. 


First things first: we'll just discuss relations for now, and later tackle using relations in 
logic formulas. 


We'll start with a couple of equivalent ways of defining relations, and then discuss a 
common subclass of relations: binary relations. 


Relations as subsets 


Consider the set of WaterWorld locations Loc = {A, B,..., Z}. For this domain (also 
known as a universe), we'll say a binary relation is a set of (ordered) pairs of the 
domain. 


Example: 

For instance, the nhbr relation of the previous section is the set 
CA BAS Gs) An eA CBS lune to eA el A 
That is, x is related to y if (x, y) is in the set nhbr. 


Example: 

For the domain D = {Object, String, MutableString}, the relation subclass-of 
might be {(String, Object), (MutableString, Object), (MutableString, String) }. 
In general, a binary relation over the domain D is a subset of D x D. Note that these 
are ordered pairs; just because z is related to y doesn't mean y has the same relation to 
x. For example, while (MutableString, Object) is in the relation subclass-of, the 
pair (Object, MutableString) most certainly is not. 


Example: 
You can consider the relation hasStarredWith, over the domain of Hollywood actors. 
We won't list all the elements of the relation, but some related pairs are: 


e hasStarred With (Ewan McGregor, Cameron Diaz), as witnessed by the 
movie A Life Less Ordinary, 1997. 

e hasStarred With (Cameron Diaz, John Cusack), as witnessed by the movie 
Being John Malkovich, 1999. 


If binary relations are subsets of pairs of the domain, what might a unary relation be? 
Simply, subsets of the domain. 


Example: 
For the domain of vegetables, Ian defines the relation yummy? as 
{tomatoes, okra, cucumbers, carrots, potatoes} and nothing else. 


Example: 
In one particular game of WaterWorld, the relation hasPirate turned out to be 
{K,T, R,U, E}. 


If unary and binary relations make sense, what about ternary, etc., relations? Sure! In 
general, a k-ary relation (or, "relation of arity k") over the domain D is a subset of D*. 
However, any given relation has a fixed arity. That is, a relation may be binary or 
ternary, but not both. 


As with propositions, rather than writing " R(, y) is true ", we'll simply write " 

R(x, y) ". In fact, notice that once you choose some particular pair of x and y, then 
R(x, y) can be treated as a single true/false proposition. (We'll soon extend the idea of 
propositions to include such relation symbols, and then allow formulas to include these 
terms.) 


Example: 
" prime (18) " is a proposition that's false, assuming the standard interpretation of 
prime. 


Example: 
" safe (A) " is a proposition that is true on some boards and not others. 


Relations as functions 


The relation nhbr, which we're defining as a set (of pairs), could also be thought of 
being a function. We say that the indicator function of a set is a Boolean function 
indicating whether its input is in the set or not. So instead of being given the set nhbr, 
you would have been equally happy with its indicator function fnhbr, where (for 
example) fahbr( B, C) = true and fipp,(B, Q) = false. Similarly, if you know that 
fnasPirate( K) = true and that fhasPirate( L) = false, then this is enough information to 
conclude that K € hasPirate and L ¢ hasPirate. The set and the function are 
equivalent ways of modeling the same underlying relation. 


The next two exercises aren't meant to be difficult, but rather to illustrate that, while 
we've sketched these two approaches and suggested they are equivalent, we still need 
an exact definition. 

Exercise: 


Problem: 


true if y= 2? 


For the indicator function f(x,y) = l on the domain of (pairs 


false otherwise 

of) natural numbers, write down the set-of-pairs representation for the 
corresponding binary relation. It's insightful to give the answer both by listing the 
elements, possibly with ellipses, and also by using set-builder notation. 


In general, for a binary indicator function f, what, exactly, is the corresponding 
set? 


Solution: 


{(0, 0), (1, 1), (2, 4), (3,9), - - -, (i, 1°), - - - } In set-builder notation, this is 
{(z,y) y= x°} 

In general, for an indicator function f, the corresponding set would be 

{(x, y)| f(z, y)} (Note that we don't need to write"... f(x,y) = true"; as 


computer scientists comfortable with Booleans as values, we see this is 
redundant.) 


Exercise: 


Problem: 


For the relation hasPirate = {K,T, R,U, E} on the set of (individual) 
WaterWorld locations, write down the indicator-function representation for the 
corresponding unary relation. In general, how would you write down this 
translation? 


Solution: 
true if z= K 
true if z=T 
true if z= R 
JhasPitate(T) = irue f r=UÜ 
true if r= E 


false otherwise 


true if xe R 


In general, for a (unary) relation R, fr(x) = eter © 


Since these two formulations of a relation, sets and indicator functions, are so close, 
we'll often switch between them (a very slight abuse of terminology). 


Think about when you write a program that uses the abstract data type Set. Its main 
operation is eLementOf. When might you use an explicit enumeration to encode a 

set, and when an indicator function? Which would you use for the set of WaterWorld 
locations? Which for the set of prime numbers? 


Functions as Relations 


Some binary relations have a special property: each element of the domain occurs as 

the first item in exactly one tuple. For example, 

isPlanet = {(Earth, true), (Venus, true), (Sol, false), (Ceres, false), (Mars, true) } 
is actually a (unary) function. On the other hand, 

isTheSquareOf = {(0, 0), (1,1), (1, —1), (4, 2), (4, —2), (9, 3), (9, —3),...} is not 

a function, for two reasons. First, some numbers occur as the first element of multiple 
pairs. Second, some numbers, like 3, occurs as the first element of no pairs. 


We can generalize this to relations of higher arity, also. This is explored in this exercise 
and this one. 


Binary Relations 


One subclass of relations are common enough to merit some special discussion: binary 
relations. These are relations on pairs, like nhbr. 


Binary Relation Notation 


Although we introduced relations with prefix notation, e.g., <(z, j), we'll use the more 
common infix notation, 2 < 7, for well-known arithmetic binary relations. 


Binary Relations as Graphs 


In fact, binary relations are common enough that sometimes people use some entirely 
new vocabulary: A domain with a binary relation can be called vertices with edges 
between them. Together this is known as a graph. We won't stress these terms right 
now, as we're not studying graph theory. 


Binary relations (graphs) can be depicted visually, by drawing the domain elements 
(vertices) as dots, and drawing arrows (edges) between related elements. 


A binary relation with a whole website devoted to it is "has starred in a movie with". 
We'll call this relation hasStarred With over the domain of actors. Some sample 
points in this relation: 


e hasStarred With (Ewan McGregor, Cameron Diaz), as witnessed by the 
movie A Life Less Ordinary, 1997. 

e hasStarred With (Cameron Diaz, John Cusack), as witnessed by the movie 
Being John Malkovich, 1999. 


You can think of each actor being a "location", and two actors being "adjacent" to each 
other if they have ever starred in a movie together; two of these locations, even if not 
adjacent might have a multi-step path between them. (There is also a shorter path; can 
you think of it? The (in)famous Kevin Bacon game asks to find a shortest path from 
one location to the location Kevin Bacon. Make a guess, as to the longest shortest path 
leading from (some obscure) location to Kevin Bacon.) 


Some other graphs: 


e Vertices can be tasks, with edges meaning dependencies of what must be done 
first. 


In parallel processing, Vertices can be lines of code; there is an edge between two 
lines if they involve common variables. Finding subsets of vertices with no lines 
between them represent sets of instructions that can be executed in parallel (and 
thus assigned to different processors.) 

"Word ladders" seek to transform one word to another by changing one letter at a 
time, while always remaining a word. For example, a ladder leading from WHITE 
to SPINE in three steps is: 


o WHITE 

o WHINE 

o SHINE 

o SPINE 

If a solution to such a puzzle corresponds to a path, what do vertices represent? 
What are edges? Do you think there is a path from any 5-letter word to another? 


interpretations 
Interpretations map relation-symbols to an actual relation. 


Needing Interpretations to Evaluate Formulas 


You might have noticed something funny: we said safe (a) depended on the 
board, but that prime (18) was false. Why are some some relations 
different than others? To add to the puzzling, there was a caveat in some 
fine-print from the previous section: " prime (18) is false under the 
standard interpretation of prime ". Why these weasel-words? Everybody 
knows what prime is, don't they? Well, if our domain is matrices of integers 
(instead of just integers), we might suddenly want a different idea "prime". 


Consider the formula E(x, x) true for all x in a domain? Well, it depends 
not only on the domain, but also on the specific binary relation E actually 
stands for: 


e for the domain of integers where F is interpreted as "both are even 
numbers", E(x, x) is false for some z. 

e for the domain {2, 4, 6,8} where Æ is interpreted as "sum to an even 
number", E(x, x) is true for every z. 

e for the domain of integers where E is interpreted as "greater than", 
E(x, x) is false for some x (indeed, it's false for every <x). 

e for the domain of people where E is interpreted as "is at least as tall 
as", E(x, x) is true for every z. 


Thus a formula's truth depends on the interpretation of the (syntactic, 
meaning-free) relation symbols in the formula. 


Interpretation 
The interpretation of a formula is a domain, together with a mapping 
from the formula's relation symbols to specific relations on the 
domain. 


One analogy is " Programs are to data, as formulas are to interpretations ". 
(In particular, the formula is a like a boolean function: it takes its input 
(interpretation), and returns true or false.) 


Using Truth Tables to Summarize Interpretations (Optional) 


Consider the formula ¢ = R(x, y) > S(x,y) A ~T (a, y). As yet, we 
haven't said anything about the interpretations of these three relations. But, 
we do know that each of R(x, y), S(x,y), and T(z, y) can either be true or 
false. Thus, treating each of those as a proposition, we can describe the 
formula's truth under different interpretations. 


R(z,y) S(x,y) R(z,y) $ 

false false false true 
false false true true 
false true false true 
false true true true 
true false false false 
true false true false 
true true false true 
true true true false 


Using Formulas to Classify Interpretations (Optional) 


In the previous section, having a formula was rather useless until we had a 
particular interpretation for it. But we can view that same idea backwards: 


Given a formula, what are all the interpretations for which the formula is 
true? 


For instance, consider a formula expressing that an array is sorted 
ascendingly: For all numbers i,j, (i < j) = (element (i) < element (7)). 
But if we now broaden our mind about what relations/functions the symbols 
element, <, and < represent and then wonder about the set of all 
structures/interpretations which make this formula true, we might find that 
our notion of sorting is broader than we first thought. Or equivalently, we 
might decide that the notion "ascending" applies to more structures than we 
first suspected. 


Similarly, mathematicians create some formulas about functions being 
associative, having an identity element, and such, and then look at all 
structures which have those properties; this is how they define notions such 
as groups, rings, fields, and algebras. 


Encoding Functions as Relations 


What about adding functions, to our language, in addition to relations? 
Well, functions are just a way of relating input(s) to an output. For example, 
3 and 9 are related by the square function, as are 9 and 81, and 0,0. Is any 
binary relation a function? No, for instance {(9, 81), (9,17)} is not a 
function, because there is no unique output related to the input 9. 


How can we enforce uniqueness? The following sentence asserts that for 
each element x of the domain, R associates at most one value with x: For 
all z, y and z of the domain, 

Equation: 


R(x, y) A R(x, z) zA (y T 2) 


This is a common trick, for to describe uniqueness: if y and z each have 
some property, then they must be equal. (We have not yet specified that for 


every element of the domain, there is at least one element associated with 
it; we'll get to that later.) 
Exercise: 


Problem: 

We just used a binary relation to model a unary function. Carry on this 
idea, by using a ternary relation to start to model a binary function. In 
particular, write a formula stating that for every pair of elements w, x 


in the domain, the relation S associates at most one value with that 
pair. 


Solution: 


For all w, x, y, and z of the domain, 
Equation: 


S(w, x,y) A S(w, x, z) Eå (y= z) 


Relations and Logic: Non-standard Interpretations 


Prime factorization 


Note that there are other possible interpretations of “prime”. For example, 
since one can multiply integer matrices, there might be a useful concept of 
“prime matrices”. 


For example: Consider only the numbers F = {1, 5,9, 13, ...} — that is, 
F = {k, 4k + 1| k € N}. It's easy to verify that multiplying two of these 
numbers still results in a number of the form 4k + 1. Thus it makes sense to 
talk of factoring such numbers: We'd say that 45 factors into 59, but 9 is 
considered prime since it doesn't factor into smaller elements of F. 


Interestingly, within F, we lose unique factorization: 

441 = 9 x 49 = 21 x 21, where each of 9, 21, and 49 are prime, relative 
to F! (Mathematicians will then go and look for exactly what property of a 
multiplication function are needed, to guarantee unique factorization.) 


The point is, that all relations in logical formula need to be interpreted. 
Usually, for numbers, we use a standard interpretation, but one can consider 
those formulas in different, non-standard interpretations! 


The Poincaré Disc 


A long outstanding problem was that of Euclid's parallel postulate: Given a 
line and a point not on the line, how many lines parallel to the first go 
through that point? Euclid took this as an axiom (unable to prove that it 
followed from his other axioms). Non-Euclidean geometries of 
Lobachevsky and Riemann took different postulates, and got different 
geometries. However, it was not clear whether these geometries were sound 
— whether one could derive two different results that were inconsistent 
with each other. 


Henri Poincaré developed an ingenious method for showing that certain 
non-Euclidean geometries are consistent — or at least, as consistent as 
Euclidean geometry. Remember that in Euclidean geometry, the concepts 


“point” and “line” are left undefined, and axioms are built on top of them 
(e.g., “two different lines have at most one point in common”). While it's 
usually left to common sense to interpret “point”, “line”, and “a point is on 
a line”, any interpretation which satisfies the axioms means that all 
theorems of geometry will hold. 


The Poincaré disc is one such interpretation: “point” is taken to mean “a 
point in the interior of the unit disc”, and “line” is taken to mean “a circular 
arc which meets the unit disc at right angles”. So a statement like “two 
points determine a line” can be interpreted as "[*] For any two points inside 
the disc, there is exactly one circular arc which meets the disc at right 
angles." Indeed, this interpretation preserves all of Euclid's postulates 
except for the parallel postulate. You can see that for a given line and a 
point not on it, there are an infinite number of parallel (that is, non- 
intersecting) lines. 


Some lines in the Poincaré disc, 
including several lines parallel 
to a line L through a point p. 


(Note that the distance function is very different within the Poincaré disc; in 
fact the perimeter of the disc is off at infinity. Angles, however, do happen 
to be preserved.) 


The critical point of his interpretation of a non-Euclidean geometry is this: 
it is embedded in Euclidean geometry! So we are able to prove (within 
the embedding Euclidean geometry) that the disc-postulates hold (e.g., we 
can prove the statement [*] above as a theorem about circular arcs in 
Euclidean geometry). Therefore, if there is any inconsistency in non- 
Euclidean geometry, then that could be parlayed into some inconsistency of 
Euclidean geometry. Thus, his interpretation gives a proof that the strange 
non-Euclidean geometry is as sound as our familiar Euclidean geometry. 


P vs. NP and Oracles 


A well-known problem in computer science — “P vs. NP” — asks whether 
(for a given problem) it is truly more difficult to find a short solution (when 
one exists) (“NP”), than it is to verify a short purported solution handed to 
you (“P”). For example, “Given a set of people and how strong person is, 
can you partition them into two tug-of-war teams which are exactly evenly 
matched?” Certainly it seems easier to check that a pair of proposed rosters 
has equal strength (and, verify that everybody really is on one team or the 
other) than to have to come up with two perfectly-matched teams. But 
conceivably, the two tasks might be equally-difficult up to some acceptable 
(polynomial time) overhead. While every assumes that P is easier than NP, 
nobody has been able to prove it. 


An interesting variant of the problem lets both the problem-solver and the 
purported-answer-verifier each have access to a particular oracle — a 
program that will gives instant yes/no answers to some other problem (say, 
“given any set of numbers, yes or no: is there an even-sized subset whose 
total is exactly the same as some odd sized subset?”). 


It has been shown that there is some oracle which makes the problem- 
solver's job provably tougher than the proof-verifier's job, and also there is 
some other oracle problem-solver's job provably no-tougher than the proof- 
verifier's job. 


This means that any proof of P being different from NP has to be subtle 
enough so that when P and NP are re-interpreted as “P and NP with respect 
to a particular oracle”, the proof will no longer go through. Unfortunately, 
this eliminates all the routine methods of proof; we know that solving this 
problem will take some new attack. 


Lowenheim-Skolem and the real numbers 


The L6wenheim-Skolem theorem of logic states that if a set of (countable) 
domain axioms has a model at all, then it has a countable model. This is a 
bit surprising when applied to the axioms of arithmetic for the real 
numbers: even though the real numbers are uncountable, there is some 
countable model which meets all our (finite) axioms of the real numbers! 


Object-oriented programming 


Note that object-oriented programming is founded on the possibility for 
nonstandard interpretations: perhaps you have some code which is given a 
list of Obj ects, and you proceed to call the method toString on each 
of them. Certainly there is a standard interpretation for the function 
Object. toString, but your code is built to work even when you call 
this function and some nonstandard, custom, overridden method is called 
instead. 


It can become very difficult to reason about programs when the run-time 
method invoked might be different from the one being called. We're used to 
specifying type constratins which any interpretation must satisfy; wouldn't 
it be nice to specify more complicated constraints, e.g. “this function 
returns an int which is a valid index into [some array]”? And if we can 
describe the constraint formally (rather than in English comments, which is 
how most code works), then we could have the computer enforce that 
contract! (for every interpretation which gets executed, including non-static 
ones). 


An obvious formal specification language is code itself — have code which 
verifies pre-conditions before calling a function, and then runs code 
verifying the post-condition before leaving the function. Indeed, there are 


several such tools about (Java, Scheme). In the presence of inheritance, it's 
harder than you might initially think to do this correctly. 


It is still a research goal to be able to (sometimes) optimize away such run- 
time verifications; this requires proving that some code is correct (at least, 
with respect to its post-condition). The fact that the code might call a 
function which will be later overridden (our “non-standard interpretations”) 
exacerbates this difficulty. (And proving correctness in the presence of 
concurrency is even tougher!) 


Even if not proving programs correct, being able to specify contracts in a 
formal language (code or logic) is a valuable skill. 


Real-World Arguments 


Finally, it is worth noting that many rebuttles of real world arguments (see 
also some exercises) amount to showing that the argument's form can't be 
valid since it doesn't hold under other interpretations, and thus there must be 
some unstated assumptions in the original. 


modeling with relations 
(Blank Abstract) 


Modeling with Relations 


Note: Note that the nhbr relation can actually represent an arbitrarily weird 
board, such as locations that look adjacent on the map but actually aren't, boards 
which wrap around a cylinder or toroid, or a location with a tunnel connecting it 
to a location far across the board (like the secret passages in the game Clue, or 
the harrowing sub trip through Naboo in Star Wars: The Phantom Menace.) One- 
way passages can be encoded as well (meaning the nhbr relation need not be 
symmetric). Actually, any graph can be represented! 


Exercise: 
Problem: 


How shall we encode concepts such as " location A has 3 dangerous 
neighbors ", using relations? 


Solution: 


A good first guess might be to say we have a function which returns the 
number of pirates next to a given location. That is, " piratesNear (A) = 3". 
However, "piratesNear" doesn't qualify as a relation. Why not? 


To work around this, we could propose a binary relation along the lines of " 
piratesNear (A, 3) = true ". This is better, but it requires our domain to be 
not only board locations, but also numbers. And to be able to talk about 
numbers, we'd need more axioms, as well as numeric relations such as >. 


Note: Hmmm, what is the arity of ">"? 


While this approach is feasible, and ultimately might be what we want, for 
now, let's stick with relations involving only locations, not numbers. 


Okay, the third time's the charm: we'll implement the concept "A neighbors 
three pirates" as a relation has-3(A) being true. To cover the cases when 
there are exactly two neighboring pirates, we'll use a whole new separate 
relation, "has-2"; has-2(A) would be false on any board where has-3(A) is 
true (at least, in our standard interpretation). 


Proofs otherwise unchanged. Note that we might express our rules as " for any 
locations æ and y, we have the following axiom: 

has-3(x) A nhbr (z, y) = —safe (y) ". Really, note that there's something else 
going on here: x and y are symbols which can represent any location: they are 
variables, whose value can be any element of the domain. 


For the domain of types-of-vegetables, the relation yummy is a useful one to 
know, when cooking. In case you weren't sure, 
yummy (Brussels sprouts) = false, and yummy (carrots) = true. 


Suppose we had a second relation, yucky. Is it conceivable that we could model a 
vegetable that's neither yucky nor yummy, using these relations? Sure! (Iceberg 
lettuce, perhaps.) In fact, we could even have a vegetable which is both yammy 
and yucky — radishes! 


Note: A quick digression on a philosophical nuance: the domain for the above 
problem is not vegetables; it's types-of-vegetables. That is, we talk about whether 
or not carrots are yummy; this is different than talking the yumminess of the 
carrot I dropped under the couch yesterday, or the carrot underneath the chocolate 
sauce. In computer science, this often manifests itself as the difference between 
values, and types of values. As examples, we distinguish between 3 and the set of 
all integers, and we distinguish between particular carrots and the abstract idea of 
carrots. (Some languages even include types as values.) Philosophers enjoy 
debating how particular instances define the abstract generalization, but for our 
purposes we'll take each both vegetables and types-of-vegetables as given. 


Exercise: 


Problem: 


You might have objected to the idea of the unary relation yummy, since 
different people have different tastes. How could you model individuals’ 
tastes? (Hint: Use a binary relation.) ) 


Solution: 


We can use the binary relation thinksIsYummy: In particular, 
thinksIsYummy (Ian, anchovies) = false but 

thinksIs Yummy (Phokion, anchovies) = true What set are we using, as 
the domain for this? Really, the domain is the union of people and pizza- 
toppings. So thinksIsYummy (radishes, brusselsSprouts) is a valid thing 
to write down; it would be false. Note that if working with such a domain, 
having unary predicates isVegetable and isPerson would be useful. 


Modeling actors and the has-starred-with relation didn't include information about 
specific movies. For instance, it was impossible to write any formula which could 
capture the notion of three actors all being in the same movie. 

Exercise: 


Problem: 


Why doesn't 

hasStarred With (a,b) A hasStarredWith (b,c) ^A hasStarredWith (c, a) 
capture the notion of a, b, and c all being in the same movie? Prove your answer 
by giving a counterexample. 


Solution: 


The proposed formula asserts that each pair has been in some movie together, 
but they each could have been different movies without being in the same 
one simultaneously. As a counterexample, it is true that 

hasStarred With (Charlie Chaplin, Norman Lloyd) (as witnessed by 
Limelight, 1952), hasStarredWith (Norman Lloyd, Janeane Garofolo) 
(as witnessed by The Adventures of Rocky and Bullwinkle, 2000), and if we 
generously include archive footage, 

hasStarred With (Charlie Chaplin, Janeane Garofolo) (as witnessed by 
Outlaw Comic: The Censoring of Bill Hicks, 2003); however, they have not 


all been in a movie together. Might the counterexample you chose become 
nullified, in the future? 


Exercise: 


Problem: 


How might we make a model which does capture this? What is the domain? 
What relations do you want? 


Solution: 


As always, there are several ways of modeling this problem. We'll outline 
three. 


First, we could augment the hasStarred With to be a ternary (3-input) 
relation to include the movie. Like in the yammy extension, the domain 
would then include both actors and movies, and we'd also want relations to 
know which is which. 


Second, we could use a bunch of relations. Starting with the familiar binary 
hasStarred With, we'd add the ternary hasStarred With3, the quaternary 
hasStarred With4, .... Our domain would just be actors. However, we'd 
either need an infinite number of such relations, which we normally don't 
allow, or we'd need an arbitrary cap on the number of people we're interested 
in at a time. 


Third, we could use sets of actors, instead of individuals. We'd need only one 
relation, haveStarredtogether, that states a set of actors have starred 
together in a single movie. 


Of course, the notion of interpretations are still with us, though usually everybody 
wants to be thinking of one standard interpretation. Consider a relation with 
elements such as isChildOf (Bart, Homer, Marge). Would the triple 

(Bart, Marge, Homer) be in the relation as well as (Bart, Homer, Marge)? 


As long as all the writers and users of formulas involving isChildOf all agree on 
what the intended interpretation is, either convention can be used. 


A Case Study: iTunes 


Consider iTunes' "smart playlists": you can create a playlist consisting of (say) " 
All songs I've rated 3-stars or better, and whose genre is not Classical ". This is 
"smart" because its a program which is re-run every time your music library 
changes: For example, if you change a song's genre, it may be immediately added 
or deleted from the playlist. We realize actually have a simple formula (which we 
can express in propositional logic with relations). The structure (instance) for a 
single is the interpretation. This formula is true when interpreted on (my library's 
representation of) Brian Eno's "Here Come the Warm Jets", but false for Bonnie 
Tyler's '80's epic "Holding Out for a Hero" and for Bach's " 'Little' Fugue in Gm ". 
We now have one formula, and want to determine its truth-value in many different 
particular interpretations. In fact, we want to return all interpretations which make 
the formula (playlist) true. 

Exercise: 


Problem: 


Look at the GUI box for defining these queries. Compared to propositional 
logic, what sort of formulas can you define? 


Solution: 
This is effectively Disjunctive or Conjunctive Normal Form, limited to 
clauses of one term each. 

Exercise: 
Problem: 
Are there queries which can't be directly transliterated into the GUI box? 
[footnote] 
"Transliterate" meaning a word-for-word substitution, while "translate" 
preserves meanings and idioms. So while the German "Ubung macht den 


Meister" transliterates to "Drill makes the master", it translates to "Practice 
makes perfect". 


Solution: 


Yes. Two examples are — ( (genre = Classical) V (genre = Holiday)), 
and (genre = Rock) ^ ((Rating > 4) V (genre = Classical)). 


Exercise: 


Problem: 


Can you find formulas equivalent to each of the preceding two, which can be 
expressed? 


Solution: 


For the first example, — ((genre = Classical) V (genre = Holiday)), we 
can clearly use DeMorgan's law and make the query 
— (genre = Classical) ^A — (genre = Holiday). 


However, for 

(genre = Rock) ^A ((Rating > 4) V (genre = Classical) ) there is no 
equivalent one-term-per-clause DNF or CNF formula! [footnote] 

Budding logicians might wonder how you actually prove this claim! 


Fortunately, iTunes has a way around this. Playlist membership or non- 
membership is itself an available predicate, allowing you to nest playlists. 
Thus, you can build a playlist GoodOrClassical for 

(Rating > 4) V (genre = Classical), then another 

(genre = Rock) A GoodOrClassical for the desired result. 


The upshot is that iTunes came up with a query language which is as expressive 
as propositional[footnote] logic. For some queries, it can be awkward to use, but 
the GUI designers who came up with smart playlists might have figured that few 
users would want such queries. 


Note: How might you create a GUI widget which can specify any propositional 
formula, and yet still look nice and be intuitive enough for my mother to use? Is 
there a better usability/expressibility trade-off than what iTunes has done, or are 
they optimal? 


Technically, this is a "relational calculus" formula, since we are using relations 
instead of flat propositions. 


syntax and semantics of quantifiers 
Introducting quantifiers, to upgrade from propositional logic to first-order logic. 


Talking about unnamed items 


Suppose we want to express a statement like "there is a location which has two neighbors" (which is true, at least 
for the domain of WaterWorld board locations), or " all actors have co-starred with Kevin Bacon " (which isn't 
true, at least for the domain of all Hollywood actors). As it stands, we can formulate these only awkwardly, by 
talking about specific (constant) locations like A and G, or specific actors like Ewan McGregor and Cameron 
Diaz. To talk about all locations, or actors, we're forced to make huge formulas such as 

nhbr(Z,Y) A anhbr(Z,A) A =nhbr(Z,B) A ... A anhbr(Z,X), just to express "there is a location 
which has only one neighbor". 


We'll redress this by introducing two quantifiers, 3 ("there exists") and V ("for all"). For example, "all actors have 
co-starred with Kevin Bacon" will be written Va : (coStarredWith (a, Kevin Bacon)). For " there is a location 
which has (at least) two neighbors ", we'll start with " there exists a location x ... ", written da : (...). 


"For all" is really just an abbreviation for a large conjunction, while "exists" is a disjunction (it could also be called 
"for some", though it's not). How large a conjunction/disjunction? As big as your domain, which actually could be 
very small, or it could be infinitely large. Even aside from the fact that we can't write down an infinitely large 
conjunction or disjunction, quantifiers let us form the conjunction without having to select a domain in advance. 


To continue with our WaterWorld example, how can we express the concept "x has (at least) two neighbors"? 
Well, we'll rephrase this as, " there exist distinct locations, y and z, which each of which is a neighbor of æ ", 
written Sa : (dy: (dz: ((y#z) A nhbr(z,y) A nhbr (x, z)))). We need the condition — (y = z) in that 
formula to ensure that we have distinct locations. Compare to the algebraic equation x + y = 4 in which one 
possible solution is x = y = 2. Variables act the same way in both logic and algebra: different variables can 
happen to take on the same value. 


We use quantifiers all the time in natural language. Consider the following examples, where we provide a natural 
English wording together with an equivalent phrasing that makes the quantification more explicit. We'll take the 
translations with a grain of salt, since sometimes people can disagree on the exact details of the intended English 
meaning. Such ambiguity can sometimes be a rich source of creativity, but it's not tolerable when documenting 
safety properties of software. While some of these examples are a bit frivolous, in general quantifiers let us 
precisely capture more interesting concepts in type-checking, data structures such as trees and hash tables, circuit 
specifications, etc. 


Natural English 
" If you don't love yourself, you can't love anybody 
else. " 


"N*Sync is the best band ever!" 


A casually subtle line from Something About Mary: 
"Every day is better than the next." 


Formalized English 


" If you don't love you, there does not exists a 
person y, such that you love y. " 


"For all bands z, N*Sync is better than band z (or, 


x = N*Sync)." A quick listen can easily show 
this statement false. 


"For all days x, æ is better than next(z). " 


Natural English 


A buggy line from a song (Everybody Loves My 
Baby, Jack Palmer and Spencer Willson, 1924): 
"Everybody loves my baby; My baby don't love 
[anybody] but me." 


"Every neighbor of x is unsafe." 


"There is a safe location that is a neighbor of x, if 
num(x)<3." 


"If you've seen one episode, you've seen ‘em all." 


"Somebody loves everybody." 


"There is someone for everybody." 


"All's well that ends well." 


Quantification in English 


Warning: The Ambiguous "Any" 


Formalized English 


" For all persons x, x loves my baby. For all 
persons y, if my baby loves y, then y is me. " If 
true, one can conclude the speaker is his own baby, 
and is narcissistic. 


"For all locations y, if y is a neighbor of æ, then y 
is unsafe." 


"If num(x)<3, then there exists a location y, such 
that y is safe, and y is a neighbor of x." 


"If there exists one episode æ such that you've seen 
x, then for all episodes z, you've seen z." 


"There exists some person y, such that for all 
persons g, y loves x." 


"For all persons g, there exists a person y, such that 
yis for x." 


"For all events x, if x ends well then z is well." 


The ambiguous "any": I was playing a game with some friends, and we came across the rule: " If you have more 
cards than any other player, then discard a card. " Does this mean "than all other players", or "than some other 
player"? Our group's opinion was divided (incl. across many native English speakers). 


In our class terms, it's not always clear whether "any" means for-all, or for-some (there-exists). Or maybe more 
accurately, in the phrase "for any x", does æ necessarily mean an arbitrary player? 


Note: Linguistics students, or those who are so sure the rule clearly intended "than all other players": Switching " 
z>y"to" x < y" changes from an active voice to a passive voice but may also reverse your interpretation of 
the English quantifier "any": "If any player has fewer points than you, ..." 


In your proof-writing (and your English writing, and your informal writing), think about replacing "any" with 
either "every" or with "some", to make your meaning clear. 


First-order logic: WFFs revisited 


We originally defined a well-formed formula (WFF) for propositional logic; we'll extend this to WFFs for first- 
order logic, also known as predicate logic. At the same time, we'll more precisely define the binding of variables. 


This logic allows use of both functions and relations. Since these functions’ outputs are not Booleans (otherwise, 
we'd call them relations), but rather data than can be used as a relation's input, we separate the syntax into that of 
terms and formulas. Terms are all the possible inputs for a relation. 


term 
A variable. 
A constant. 
A function applied to one or more terms. 


Example: 
Me (Ds coc 


Example: 
WaterWorld location F', Kevin Bacon, or the number 3. 


Example: 
successor (3) 


Well-Formed Formula (WFF) for first-order logic 
A constant: true or false. 
An atomic formula: a relation symbol applied to one or more terms. 
A negation of a WFF, ~g. 
A conjunction of WFFs, p A w. 
A disjunction of WFFs, y V w. 
An implication of WFFs, y => w. 
A universal quantification of a WFF, Vz : (). 
An existential quantification of a WFF, Jz : (¢). 


Example: 
nhbr (z, F) 


Example: 
Vz : (nhbr (z, F)) 


Example: 
Jz : (nhbr (z, F)) 


While a formula is just a piece of syntax, the meaning of its connectives, including the quantifiers, is part of the 
definition of a WFF. However, as previously discussed, the meaning of a WFF also depends on the interpretation 
we give to its relations. 


Examples 


Example: 
Everybody likes John Cusack: Vz : (likes (x, John Cusack)). 


Example: 
Somebody likes Joan Cusack: Jz : (likes (x, Joan Cusack)). 


Example: 
Somebody likes everybody: Jæ : (Vy: (likes (x, y))). (We use n for "needy"?) 


Example: 
Everybody likes somebody: Vy : (Sa : (likes (y, z))). Careful; this formula looks similar to the preceding one, 
but it has a very different meaning! 


Exercise: 


Problem: How would you express "Somebody is liked by everybody"? 


Solution: 


The cue "Somebody ..." suggests one person who exists; we'll call them p for "popular": 3p : (...). Now we 
need to fill in the dots with "everybody likes p", to get: 3p : (Va : (likes (x, p))). 


Exercise: 


Problem: How would you express "Everybody is liked by somebody"? 


Solution: 


The cue "Everybody ..." suggests a universal; we'll call them 7 for "J. Doe": Vj: (...). Now we need to fill in 
the dots with "somebody likes 7", to get: Vj : (Sa : (likes (x, j))). Note that this formula is just like the 
preceding ''Somebody likes everybody" example, except that the quantifiers have been swapped (and different 


variable names were used, a superficial difference). 


Example: 

The following formula is a simple application of symmetry. 

Vz : (Vy: (near (x,y) = near (y,x))) A near (Sue, Joe) > near (Joe, Sue). 

While it is certainly true under the intended interpretation, it is also true under any interpretation. Such formulas 
are called valid. Valid first-order formulas are the natural analog of tautological propositional formulas. 


Example: 
Vz : (even (x) A prime (x) = (x = 2)) is a mathematical fact, in the standard interpretation of arithmetic. 


While technically not allowed by our term and formula syntax, we'll continue using infix notation for common 
mathematical functions and relations, as in the previous example. 
Exercise: 


Problem: 

The previous example used the relations even and prime. Of course, to use such relations, they must either 
be defined directly by the interpretation, or be defined in terms of functions and relations provided by the 
interpretation. 


How would you define these two relations in terms of the basic numerical functions (addition, multiplication, 
...) and relations (= , <, >)? 


Solution: 


"Evenness" is a straightforward translation from " An integer n is even, iff it is twice some other integer k ": 
even (n) = Jk : (n = 2k). Note that by this standard definition, zero is even. 


There are many equivalent ways to define primality, just as there many algorithms for checking primality. 
One straightforward solution is noncomposite (n) = Vj: (Vk: ((jk =n) > (j =1) v (k= 1))). Well, 
this is almost expresses "prime", except that n = 1 satisfies this formula. A mathematician points out that just 
as 0 is neither positive nor negative, 1 is neither prime nor composite; as stated this formula actually captures 
"noncomposite", oops. There are several ways to upgrade this to exactly capture "prime". 


Note: 1 is called a "unit". If we consider the domain of all integers (not just natural numbers), the idea of 
primality still makes sense; -17 is also prime; and -1 is also another unit. Similarly, considering the domain 
of "complex integers" {a,b,a + biļa € Z A b € Z} (could be written" Z + Zi"), then ¿ and —i are also 
units. How might we generalize our definition of prime, to work in these further interpretations? 


A similar, equivalent formula to the above is 
noncomposite (n) = 747: (dk: ((jk =n) A (G41) A (KF 1))). 


Exercise: 


Problem: 


One hypothesis about natural numbers is known as Goldbach's Conjecture. It states that all even integers 
greater than two can be expressed as the sum of two primes. It is one of the oldest still-unsolved problems 
about numbers. How would you write this conjecture as a WFF? 


Solution: 


Vn : (even (n) A (n > 2) > dp: (dq: (prime (p) A prime (q) A (p+q = n)))) 


Enough about number theory. Let's look at some examples about common data structures and some about our 
favorite problem, WaterWorld. 


Example: 

If your program uses binary search trees and your domain is tree nodes, you need to know 

Vnode : ((data (left (node)) < data(node)) A (data (right (node)) > data (node))). If these trees are also 
balanced, you need to know 


Vnode : ((height (left (node)) = height (right (node))) V (height (left (node)) + 1 = height (right (node) 
. Again, these assume the implied interpretations. 


Example: 

We would like to be able to state that the output of a sorting routine is, in fact, sorted. Let's assume we're sorting 
arrays into ascending order. 

To talk about the elements of an array in a typical programming language, we would write something like afi]. 
For this example, we'll use that notation, even though it doesn't quite fit the logic's syntax. 

To describe sortedness (in non-decreasing order), we want to state that each element is greater than or equal to the 
previous one. However, just like in a program, we need to ensure our formula doesn't index outside the bounds of 
the array. For this example, we'll assume that an array's indices are zero to (but not including) size (a). 

sorted (a) = Vi: ((1 <i) A (i < size (a)) => (ali — 1] < afi])) 

When proving things about programs, it's often useful to realize there are alternate ways of defining things. So, 
let's see a couple more definitions. 

We could change our indexing slightly: sorted (a) = Vi: ((0 < i) A (i < size (a) — 1) = (aļi] < alt + 1])). 
Or we could state that the ordering holds on every pair of elements: 

sorted (a) = Vi: (Vj: ((0 <i) A (i < size (a)) A (0< j) A (j < size (a)) A (i < j) = (alļi] < aļ[j]))) 
. This definition isn't any stronger, but it makes an additional property explicit. Generally, you'd find it harder to 
prove that this formula was true, but once you did, you'd find it easier to use this formula to prove other 
statements. 


Exercise: 


Problem: 


The two preceding examples used functions like left, size, and subtraction, although our logic syntax doesn't 
include such functions. However, we can rewrite any use of functions with appropriate new relations. 


As an example, rewrite į < size (a) in proper first-order syntax. 


Solution: 


We need a new relation that combines the syntax of < and size. The result would look like 
less-than-size(i, a). This assumes the new relation has the obvious intended definition. 


Exercise: 


Problem: 


One simple WaterWorld fact is that if a location has no unsafe neighbors, then its number of adjacent pirates 
is zero. Furthermore, the implication goes both ways. How would you state that as a WFF? 


Solution: 
Vz : (Vy: (nhbr (a, y) => safe (y)) = has-0(x)) 
Exercise: 
Problem: How would you make a similar statement about the number of adjacent pirates being one? 
Solution: 


There are various solutions, but they all must capture the same idea: there exists exactly one unsafe neighbor. 
This solution states that in two parts: 


e There exists an unsafe neighbor, w. 
e Every unsafe neighbor is u. 


Together, these two parts imply there is only one such u. 


Vz : (du: (nhbr(a,u) A —safe(u) A Vy: (nhbr (x, y) > (~safe (y) = y = u))) = has-1(z)) 


These statements are very similar to, and provable from, the first-order WaterWorld domain axioms. 


A hint on deciphering formulas' meanings 


Some formulas can get pretty hairy: Va : (dy: (Vz: (likes (z, y) A — likes (y, z)))). The zeroth step is to take a 
breath, and read this in English: for every x, there's some y such that for every z, x likes y but y doesn't like z. 
Even so, how do we approach getting a handle on what this means? Given an interpretation, how do we know it's 
true? 


The top-down way would be to read this formula left-to-right. Is the whole formula true? Well, it's only true if, for 
every possible value of x, some smaller formula is true (namely, " there exists a y such that forall z, likes (x, y) 
and — likes (y, z). "). (This is a formula with z free, that is, it's a statement about æ.) And is that formula true? 
Well, precisely when we can find some y such that ... (and so on). This direct approach is hard to keep inside your 
head all at once. 


Most people prefer approaching the problems in a bottom-up manner (or if you prefer, right-to-left or inside-out): 
First consider at the small inner bits alone, figure out what they mean, and only then figure out how they relate. 


e What does the innermost formula likes (x,y) ^A — likes (y, z) mean, in English? That's not so bad: z likes y, 
and y dislikes z. A statement about three people called z, y, z. 

e Working outward, what does Vz : (likes (a, y) A —likes (y, z)) mean? Ah, not so bad either: æ likes y, and 
y dislikes everybody. [footnote] 
Or if you prefer, "æ likes y, who is a misanthrope". A self-loathing misanthrope, at that! 

e Keep on going: dy: (Vz: (likes (z,y) A —likes (y, z))) becomes "x likes some misanthrope". 

e Now it's clear: Va : (dy: (Vz: (likes (x,y) A —likes (y, z)))) is just "everybody likes some misanthrope". 


Phew! 


"Forall"'s friend "if" 


We have already seen quite a few formulas of the general form Vz : (P(x) = ...). Indeed, this is a very useful 
idiom: If our domain is natural numbers but we want to say something about all primes, we simply write 
Yn : (prime (n) = ...). Don't be fooled; this formula is in no way suggesting that all numbers are prime! 


Note: This same construct using J is usually a mistake. Consider Sa : (P(x) = ...). By choosing z to be any 
non-P element, this entire formula is true, without even glancing at what is inside the "..."! 


Note: If you have to demonstrate that all ravens are black, Vi : (isRaven (i) = isBlack (7)), there are two ways 
to do so: You can go out and find every raven and verify that it's black. Alternately, you can go and find every 
non-black item, and verify that it's a non-raven. Epistemologists, philosophers dealing with how we humans come 
to learn and know things (about, say, raven colors), go on to ponder about real-world degrees-of-belief: If we have 
only looked at some ravens, and we find another raven and confirm it is black, does this increase our degree of 


belief about all ravens being black? If so, then whenever we find a non-black item which is a non-raven, this must 
also increase our degree of belief that all ravens are black. This leads to Hempel's (so-called) Paradox: if we are 
looking for evidence to choose between two competing hypotheses (say, "all non-black items are not ravens" 
versus "all non-orange items are not ravens"), then finding a purple cow increases our belief in both of these 
hypotheses, simultaneously! 


First-Order Logic: bound variables, free variables 


In the previous examples we often re-used variable names, even within the 
same formula. This shouldn't be surprising or confusing, since we do the 
same thing in programs (another formal language). In fact, the same notions 
of bound and free variables occur in both situations. An occurrence of 
variable x is bound if it is in the body of a quantifier Væ ... or Jæ .... 
Otherwise, the occurrence is free. 


For example, in Vz : (likes (a, y)), the variable y is free but g is not. So 
this is a statement about y; we can't evaluate this to true/false until we get 
some context for y. It's useful as a subpart for some bigger formula. 


Note: The concept “x free in y” does not talk about the context of y. So 
don't confuse it with “well, over on this part of the page, y happens to 
occur as the sub-part of another formula containing Vz : (...), so x really 
is bound.” (Just as 7 is prime, even though people sometimes use 7 in the 
context of 7+1.) Whether z is free in a y can be determined by a function 
isFree(zx, y), needing no other information to produce an answer. 


Looking back at our previous examples, we can see that many of the 
formulas we made had no free variables — all variables were bound by 
some quantifier in the formula. The truth of such formulas depends only on 
the interpretation and not on any additional knowledge about what any free 
variables refer to. Thus, these formulas are common and important enough 
that we give them a special name, sentences. 


A given variable name can actually have both bound and free occurrences 
within the same formula, as in R(x) A Ja : (=R(x)). (This formula 
about x is satisfiable: it says that R is true about x, but isn't true about 
everything.) In essence, there are two different underlying variables going 
on, but they each happen to have the same name; from scope it can be 
decided which one each occurence refers to. In programming language 
terms, we'd say that the inner x (the local variable) shadows the outer x 


(the enclosing variable). In these terms, free variables in logic correspond to 
global variables in programs. 


Clearly Vx : (R(a)) is always equivalent to Vy : (R(y)); variable names 
are entirely arbitrary (except maybe for their mnemonic value). So the 
previous formula might be more clearly re-written as 

R(x) A Ay: (=R(y)). (This careful re-writing while respecting a 
variable's scope is called a-renaming.) Even if 17 quantifiers each used the 
same variable (name) æ, we could carefully a-renaming 17 times, and end 
up with an equivalent formula where all quantifiers use distinct variables. 
This will be useful to avoid potential confusion, especially in the upcoming 
inference rules, where we'll be introducing and eliminating quantifiers. 


Example: 
The formula Vx : (A(x)) A da: (B(x)) A Va : (C(x)) is equivalent to 
the more readable Vx : (A(x)) A sy: (B(y)) A Vz: (C(2)). 


First-Order Logic: normal forms, revisited 


CNF and DNF revisited (Optional) 


In first-order logic, normal forms are still useful for providing a notion of a 
canonical form. However, their other benefit of corresponding closely to 
truth tables does not apply here, since truth tables aren't useful for first- 
order logic. 


A formula in Prenex Conjunctive Normal Form, or Prenex CNF, has a 
body in CNF preceded by a series of quantifiers. Similarly, a formula in 
Prenex Disjunctive Normal Form, or Prenex DNF, has a body in DNF 
preceded by a series of quantifiers. 


Example: 
Assuming is in CNF, then the following are each in prenex CNF. On the 
other hand, if is in DNF, these are in prenex DNF. 


Every formula has an equivalent prenex CNF formula and equivalent 
prenex CNF formula. For brevity, we'll skip proving this. 


First-Order Logic: equivalences 


Now that we can express interesting concepts using the quantifiers “3” (“there exists”) and “V 
” (“for all”), how can we use them for the problem of determining whether a formula is true? 
Back in lowly propositional logic, we had three methods: 


e truth tables, 
e equivalences, and 
e formal proofs with inference rules. 


How can we adapt these approaches, for first-order logic? 


Well, truth tables have no analog approach. With quantifiers, we don't have a finite set of 
propositions. Furthermore, variables can't refer to specific items in the domain until we try to 
interpret them. And when we do, the domain may be of any size — possibly even infinite. 
Using a truth table on an infinite domain is clearly infeasible, but the real problem stems from 
how we want to be able to discuss reasoning without respect to a particular domain. 


However, we can add equivalences and inference rules to cope with quantifiers. After showing 
how to work with quantifiers, we'll come back to examine our newly-augmented systems for 
those desirable traits, soundness and completeness. 


First-order Equivalences 


When we upgrade from propositional logic to first-order logic, what changes do we need to 
make to the laws of boolean algebra? Well first off, we can keep all the existing propositional 
equivalences. For example, Vz: (~ (y A w)) = Yz : (~ V ~y). (Technically, we're even 
making those equivalences stronger, since those meta-variables y, w=, 0 can now stand for any 
first-order formula, rather than merely propositional formulas.) 


But, we also need additional identities to deal with our new-fangled quantifiers. What should 
these be? The most interesting are those that relate the two kinds of quantifiers. Universal 
quantification (V) says that something holds for all members of the domain, and existential 
quantification (4) says that something holds for at least one member. Clearly, Vx : (y) implies 
Jz : (p), but the other direction doesn't hold, so that is not an equivalence. 


Note: Wait just a minute! That implication holds only if the domain is non-empty, so that 
there is at least one member in it. We'll see this restriction appear a few times. 


What about Vz : (-y)? In English, “for all items z, p(x) does not hold”. A more natural way 
to say this is that there is no item x such that y(x) does hold — that is, ~3æ : (y). Indeed, 
this will be one of our new boolean algebra rules. 


See a list of equivalences with quantifiers. As before, we can use these to show other pairs of 


formulas equivalent, as in the following examples. 


Example: 
Using these identities, we can simplify formulas such as the following: 


woe (ve (Re) Ory) A az s (=z): 


1 Vy: (Va: (R(x) A Q(z,y))) A =3z: (-R(z)) 


2 = Vy: (Vz : (R(z) A Q(a,y))) A Yz: (“=R(2)) 

3 = Vy: (Ve: (R(x) A Q(z,y))) A Vz: (R(2)) 

4 = Vz : (Vy : (R(x) A Q(z,y))) A Vz: (R(2)) 

5 = Vz : (Vy : (R(z)) A Vy: (Q(z,y))) A Vz: (R(2)) 
6 = Vz : (R(x) A Vy: (Q(z,y))) A Vz: (R(z)) 

7 = Vz : (R(x) A Vy: (Q(z,y))) A Va: (R(z)) 

8 = Vz : (R(x) A Vy: (Q(z,y)) A R(z)) 

9 = Vz : (Vy: (Q(z,y)) A R(x) A R(z)) 

10 =Ve: (Vy: (Q(z,y)) A R(=) A R(z)) 

11 =Va: (vy: (Q(z,y)) A R(z)) 


Complementation 
of J 


Double 
Complementation 


Reordering Vs 


Distribution of V 
over ^ 


Simplification of 
Y (y not free in 
R(z)) 


renaming 


Distribution of V 
over /\ 


Commutativity of 
IN 


Associativity of 
A 


Idempotency of 
AN 


Admittedly, some of these steps are rather small and obvious (e.g., our use of commutativity 
and associativity); we include them to illustrate how the identities of propositional logic are 
also used in first-order logic. 


Example: 

An example of Vx : (Y) = w where w doesn't contain x occurring free: Let Y be the formula 
we've seen before, asserting that a positive integer n was noncomposite: 

Vj: (Vk : ((jk =n) = (j= 1) V (k = 1))). Since n occurs free, the truth of this formula 
depends on the value of n. The formula Vz : (~) really is equivalent to w: It's true for exactly 
the same values of n. The use of z is essentially a bit of a rus, since x plays no part of the 
meat of the w. 

However, the following formula is certainly not equivalent: Vn : (Y). This formula asserts 
that all elements of the domain are non-composite (and it doesn't depend on choosing a 
particular interpretation for n). Because n occurred free, we can't use the “simplification of 
quantifiers” identity on it. 

Finally, one more variant: Vj : (Y). This is equivalent to the original, just like Va : (y) was. 
Why? The j that occurs inside ~w is a local variable, and is different from any enclosing 
bindings' 7. As we saw, local variables shadow less-local ones, just as in most programming 
languages. 


Exercise: 
Problem: 
The equivalences for distributing implication over equivalences seem counterintuitive at 


first glance. Show that the following one holds, given all the identities which don't 
involve both implication and quantifiers. 


Assuming that 4% does not have any free occurrences of variable x, 
Va:(y>v) = 3z: (y) => 4. 


Solution: 
1 Vz : (y = 4) 
2 =Vz: (~ V 4%) Definition of => 


3 = Vx: (vy) Vy% Distribution of V over V 


4 =-de:(y) V% Complementation of 4 


5 = Jz: (y)> 4% Definition of = 


Are the following two sentences true? 


e “All flying pigs wear top hats.” Vp : (wears_top_hat(p)) (over the domain of flying 
pigs). 

e “All numbers in the empty set are even.” Vx : (even (z)) (over the empty domain). 

e “Every Pulitzer prize winner I've met thinks I'm smart, and cute, too!” 
Vz : (thinksImSmart AndCute (x)) (over the empty, since I haven't met any Pulitzer 
prize winners). 


Each sentence states that some property holds for every member of some set (flying pigs or 
the empty set), but there are no such members. Such sentences are considered vacuously true. 


Okay, maybe you believe that the sentences aren't false, but you still want some reason to 
consider them true. Well, think of their negations: 


e “There exists a flying pig not wearing a top hat.” 4p : (>wears_top_hat), over the 
(empty) domain of flying pigs. You can't go off and find a flying pig which contradicts 
this, since you can't find any flying pig at all. (Note that the negation isn't “No flying 
pigs wear top hats.”’) 

e “There exists a number in the empty set that is even.” Jx : (~ even), over the empty 
domain. (The negation isn't “No numbers in the empty set are even.”) 


Since these negations are false, the original sentences must be true. This is also similar to the 
fact that a simple propositional implication, a = b is true, if a is in fact false, regardless of the 
truth of b; in this crude analogy, a corresponds to “in the domain”. 


Note: In boolean algebra, we only allow the values false and true, with no third option. This 
is sometimes called the law of the excluded middle. Philosophers have developed 
“trimodal” logics which have a third option, but everything in those logics can be translated 
into something in traditional logic; such logics might be more convenient in some cases, but 
they aren't more expressive. Fuzzy Logic, on the other hand, is a variant where every 
proposition has a degree of truth (from zero to one). While this is different than propositional 
logic (and, it is the right way to model many real-world problems), as a logic it hasn't yielded 
interesting new mathematical results. 


Even more silliness can ensue when the domain is empty: For example, not only is every 
member of the empty set even, but every member is simultaneously odd! That is, 

Va: (R(x) A -R(z)) is true (only) when the domain is the empty set. Even more 
degnerately, Vx : (false) is a true (only) on the emtpy domain. 


Are we done yet? 


While equivalences are very useful, we are often interested in implications such as the one 
mentioned previously: Vz : (y) = Jæ : (Y). We could rephrase that as an equivalence, 
Va: (py) = Jz : (p) = true. Informally, it should be clear that that is rather awkward, and 
formally it is as well. 


But such implications are exactly what inference rules are good for. So, let's continue and 
consider what first-order inference rules should be. 


First-Order Logic: inference rules 


Inference with quantifiers 


Proving first-order sentences with inference rules is not too different than 
for propositional ones. We have two slight twists to add: upgrading 
propositions to relations, and quantifiers. We still keep all our original 
propositional inference rules, but declare they can now be used on first- 
order WFFs. For our quantifiers, we introduce new first-order inference 
rules for adding and eliminating quantifiers from formulas. These four new 
rules look surprisingly simple, but they do have a couple of subtleties we 
have to keep track of. 


Exists-intro 


What is the most natural way to prove an existential sentence, like “there 
exists a prime number greater than 5”? That's easy — you just mention such 
a number, like 11, and show that it is indeed prime and greater than 5. In 
other words, once we prove 

(11 >5) A Vj: (Vk: (11 = jk) = (j= 1) v (k = 1))) we can then 
conclude — using the inference rule 4Intro — that the formula 

apeiip> 5) A Yj: (Wks (@ =7k) =] G=1) v (k= 1)))) is true. 
In general, to prove a formula of the form Jz : (Y), we show that y holds 
when zg is replaced with some particular witness. (The witness was 11 in 
this example.) The inference rule is y[p-+c] H 3p : (Y). The notation “ 
y|v—w]” means the formula y but with every occurrence of v replaced by 
w. For example, we earlier wrote down the formula y[p++11], and then 
decided that this was sufficient to conclude 3p : (vy). 


Note: Observe that you'll never use the substitution-notation “ 
y|...-»...]” as part of a literal formula — it is only used in the 
inference rule, as a shorthand to describe the actual formula. (It's a pattern- 
matching metalanguage!) 


Note: While it seems like substitution should be a simple textual search- 
and-replace, it is sometimes more complicated. In the formula 

p = (a> 5) A Jz: (R(x)), we don't want y|x+>6] to try to mention 
R(6), much less generate something nonsensical like V6: (...). In 
programming languages, we say we want “hygienic macros”, to respect our 
the language's notions of variables and scope. E.g., the C pre-processor's 
#define and #inc1ude notably does not respect hygiene, and can 
inadvertently lead to hard-to-find bugs. Solution: For simplicity, we will 
always consistently rename variables so that each quantifier binds a 
distinct variable. 


How do you find a witness? That's the difficult part. You, the person 
creating the proof, must grab a suitable example out of thin air, based on 
your knowledge of what you want to prove about it. In our previous 
example, we used our knowledge about prime numbers and about the 
greater-than relation to pick a witness that would work. In essence, we 
figured out what facts needed to be true about the witness for the formula to 
hold, and used that to guide our choice of witness. Of course, this can easily 
be more difficult, as when proving that there exists a prime greater than 
6971 of the form 4x — 1. (It turns out that 796751 will suffice as a witness 
here.) Another approach is trial-and-error: Pick some candidate value, and 
see if it does indeed witness what you're trying to prove. If you succeed, 
you're done. If not, pick another candidate. 


Exists-Elim 


The complementary JElim rule corresponds to giving a (new) name to a 
witness. Thus if you know “there exists some prime bigger than 5”, then by 
Elim we can think of giving some witness the name (say) c, and end up 
concluding “c is a prime bigger than 5”. The caveats are that c must be a 
new name not already used in the proof, and different from any variables 
free in the conclusion we're aiming for. However, we will be able to use that 
variable c along with universal formulas to get useful statements. 


Thus the general form of the rule is that Sp : (Y) F y[p— c]. That is, we 
can rewrite the body of the exists, replacing the quantified variable p with 
any new variable name c, subject to the restrictions just mentioned. 


Forall-Intro 


Can we extend that idea to proving a universal sentence? One witness is 
certainly not enough. We'd need to work with lots of witnesses, in fact, 
every single member of our domain. That's not very practical, especially 
with infinitely large domains. We need to show that no matter what domain 
element you choose, the formula holds. 


Consider the statements “If n is prime, then we know that ...” and “A 
person X who runs a business should always ...”. Which n is being talked 
about, and which person? Well, any number or person, respectively. After 
learning about quantifiers, you may want to preface these sentences with 
“For all n” or “For all [any] persons X”. But a linguist might point out that 
while yes “for all” is related to the speaker's thought, they are actually 
using a subtly different mode — that of referring to a single person or 
number, albeit an anonymous, arbitrary one. If “an arbitrary element” 
really is a natural mode of thought, should our proof system reflect that? 


If we choose an arbitrary member of the domain, and show that the 
sentence holds for it, that is sufficient. But, what do we mean by 
“arbitrary”? In short, it means that we have no control over what element is 
picked, or equivalently, that the proof must hold regardless of what element 
is picked. More precisely, a variable is arbitrary unless: 


e A variable is not arbitrary if it is free in (an enclosing) premise. 
e A variable is not arbitrary if it is free after applying JElim — either as 
the introduced witness c, or free anywhere else in the formula. 


The usual way to introduce arbitrary variables is during VElim (w/o later 
using it in JElim). The formal inference rule for introduction of universal 
quantification will use these cases as restrictions. 


Forall-Elim 


Getting rid of universal quantifiers is easy: if you know Vz : (y) (where y 
is a formula presumably involving æ), well then you can replace x with 
anything you want, and the resulting formula will be true. We say 

Va: (p) F [x= t] where t is any term. Any variables in t are arbitrary, 
unless it is an already-existing non-arbitrary variable. 


For example, suppose we know that 

Vn : (prime (n) A (n > 2) = odd (n)). We can replace n with some 
term like m + 4 to conclude 

prime (m + 4) A (m + 4 > 2) => odd (m + 4). The variable m is 
arbitrary, unless it already occurred in non-arbitrary in a previous line of the 
proof (perhaps introduced via SElim). A more usual step is to use a term 
which is just a single variable, and (by coincidence) happens to have the 
same name as the quantified variable we are eliminating. Thus we often 
conclude prime (n) A (n > 2) = odd (n) (note the absence of the initial 
V); n is arbitrary (unless it had already been confusingly in use as a non- 
arbitrary variable earlier). This is helpful when we'll be later re-introducing 
the V in a later step; see the example below. 


Formal inference rules and proofs 


Recall the syllogisms from a previous lecture. The general form of a 
syllogism is 


1. Va : (P(x) => Q(x)) [major premise] 
2. P(c) [minor premise] 
3. Q(c) [conclusion] 


In our system, we don't have syllogism as a separate rule of inference, but 
it's easy to see how to translate any syllogism into our system: (for specific 
relations P and Q, and a specific constant c). 


1 Va: (P(x) > Q(2)) Premise 


2 P(c) Premise 

3 P(c) > Q(c) VElim, by line 1, with z = c 
=> Elim, by lines 2,3, with 

4 Qe) j 


y= P=candywy=Q=c 


Eliminating a quantifier via VElim and Elim is often merely an 
intermediate step, where the quantifier will be reintroduced later. This 
moves the quantification from being explicit to implicit, so that we can use 
other inference rules on the body of the formula. When this is done, it is 
very important to pay attention to the restrictions on VIntro, so that we don't 
accidentally “prove” anything too strong. 


Example: 
Je : (Vy: (v)) F Vy: (da : (v)) , for the particular case of y = R(x, y) 
(other cases all similar). 


1 dz: (Vy: (R(a, y))) Premise 

2 Vy : (R(p, y)) JElim, line 1 
3 R(p, q) VElim, line 2 
4 dz : (R(z,q)) Intro, line 3 


5 Vy: (sa : (R(x, y))) VIntro, line 4 


Remember that in line 5, for VIntro, we must verify that q is arbitrary. It is, 
since it was introduced in line 3 by VElim, and there hasn't been an 
intervening JElim between lines 3 and 5. 

We cannot instead conclude in line 4 that Vx : (R(x, q)) by Vintro, since 
variable p was introduced by JElim in line 2, and therefore not arbitrary. 


Exercise: 


Problem: 


Let's reverse the previous proof goal: 

Vy : (Ax : (y)) F 3x : (Vy: (~)), for the particular case of 

p = R(a, y) (other cases all similar). This statement does not hold in 
general. So, what's the problem with the following “proof”? 


1 Vy: (Jx : (R(x, y))) Premise 

2 dz : (R(z,q)) VElim, line 1 

3 R(p,q) JElim, line 2 

4 Vy: (R(p, y)) VIntro, line 3 

5 de: (Vy: (R(a, y))) Intro, line 4 
Solution: 


In line 4, VIntro requires that variable being generalized, q, be 
arbitrary. It was introduced in line 2 by VElim, so that's OK. (E.g., we 
could've used VIntro on line 3 to reintroduce the quantifier just 


eliminated.) But, q was free when we used Elim on line 3, and this 
makes the variable no longer arbitrary. Line 3's choice of p may 
depend on q, and a variable is only arbitrary if it is free of any such 
constraints. 


The VIntro principle is actually very familiar. For instance, after having 
shown =(a ^ b)F ~a V 7b, we then claimed this was really true for 
arbitrary propositions instead of just a,b. (We actually went a bit further, 
generalizing individual propositions to entire (arbitrary) WFFs y,w. This 
could only be done because in any particular interpretation, a formula y 
will either be true or false, so replacing it by a proposition still preserves the 
important part of the proof-of-equivalence.) 


The VIntro is also used in many informal proofs. Consider: “If a number n 
is prime, then ...”. This translates to “prime (n) => ...”, where n is 
arbitrary. We are entirely used to thinking of this as “ 

Vn : (prime (n) => ...)” even though “n” was introduced as if it were a 
particular number. 


Proofs and programming 


We previously saw that the inference rules of propositional logic are closely 
related to the process of type checking. The same holds here. For example, 
in many programming languages, we can write a sorting function that 
works on any type of data. It takes two arguments, a comparison function 
for the type and a collection (array, list, ...) of data of that type. The type of 
the sorting function can then be described as “for all types T, given a 
function of type (T and T) > T, and data of type (collection T), it returns 
data of type (collection T)”. This polymorphic type-rule uses universal 
quantification. 


Note that the details about substitutions and capture noted here arise in any 
kind of program that manipulates expressions with bound variables. That 
includes not only automated theorem provers, but compilers. To avoid such 
issues, Many systems essentially rename all variables by using pointers or 
some similar system of each variable referring to its binding-site. 


When people speak of proofs written by computer, they're talking about this 
style of inference rule proofs. 


Exercises for First-Order Logic 


Throughout these exercises, a # b is simply a shorthand for — (a = b). 


Relations and Interpretations 


Exercise: 


Problem: Consider the binary relation is-a-factor-of on the domain {1, 2, 3, 4, 5, 6}. 


1. List all the ordered pairs in the relation. 
2. Display the relation as a directed graph. 
3. Display the relation in tabular form. 


4. Is the relation reflexive? symmetric? transitive? 
Exercise: 


Problem: How would you define addsTo as a ternary relation? 
1. Give a prose definition of addsTo (z, y, z) in terms of the addition function. 


2. List the set of triples in the relation on the domain {1, 2, 3, 4}. 


Exercise: 
Problem: 
Generalize the previous problem to describe how you can represent any k-ary function as a (k + 1)-ary 
relation. 
Exercise: 
Problem: 


Are each of the following formulas valid, i.e., true for all interpretations? (Remember that the relation names 
are just names in the formula; don't assume the name has to have any bearing on their interpretation.) 


e For arbitrary a and b in the domain, atLeastAsWiseAs (a,b) V atLeastAsWiseAs (b, a) 
e For arbitrary a in the domain, prime (a) = (odd (a) => prime (a)) 
e For arbitrary a and b in the domain, betterThan (a, b) = — betterThan (b, a) 


For each, if it is true or false under all interpretations, prove that. For these small examples, a truth table like 
this one will probably be easier than using Boolean algebra or inference rules. Otherwise, give an 
interpretation in which it is true, and one in which it is false. 


Note: As always, look at trivial and small test cases first. Here, try domains with zero, one, or two elements, 
and small relations. 


Exercise: 


Problem:| Practice problem—solution provided. ] 


Suppose we wanted to represent the count of neighboring pirates with a binary relation, such that when 
location A has two neighboring pirates, piratesNextTo (A, 2) will be true. Of course, 

piratesNextTo (A, 1) would not be true in this situation. These would be analogous with the propositional 
WaterWorld propositions A-has-2 and A-has-1, respectively. 


If we only allow binary relations to be subsets of a domain crossed with itself, then what must the 
1. domain be for this new relation piratesNextTo? 
If we further introduced another relation, isNumber?, what is a formula that would help distinguish 
intended interpretations from unintended interpretations? That is, give a formula that is true under all our 
intended interpretations of piratesNextTo but is not true for some "nonsense" interpretations we want 
2. to exclude. (This will be a formula without an analog in the WaterWorld domain axioms.) 


Solution: 


1. The relation needs to accept locations as well as numbers, so the domain is L U N, where L is the set of 
WaterWorld locations. Alternatively, you could use {0, 1, 2, 3} instead of N, the set of all natural 
numbers. 


2. The difficulty is that it's possible to ask about nonsensical combinations like piratesNextTo (17, 2) and 
piratesNextTo (W, B). Adding isNumber?, any interpretation would be expected to satisfy, for 
arbitrary a and b, piratesNextTo (a, b) = isNumber?(b) A —isNumber?(a, b). 


Note: More interestingly though, imagine we did interpret piratesNextTo over the domain N only. We 
could then pretend that the locations, instead of being named A,...,Z, were just numbered 1,...,24. 
While this representation doesn't reflect how we model the problem, it is legal. Exercise for the reader: 
Write a formula which excludes relation piratesNextTo which can't match this convention! 


Exercise: 


Problem: 
Determine whether the relation R on the set of all people is reflexive, antireflexive, symmetric, 
antisymmetric, and/or transitive, where (a,b) € R if and only if ... 

1. a is older than b. 

2. a is at least as old as b. 

3. a and b are exactly the same age. 

4. a and b have a common grandparent. 


5. a and b have a common grandchild. 


Exercise: 


Problem: 
For each of the following, if the statement is true, explain why, and if the statement is false, give a counter- 
example relation. 

1. If R is reflexive, then R is symmetric. 

2. If R is reflexive, then R is antisymmetric. 

3. If R is reflexive, then R is not symmetric. 

4. If R is reflexive, then R is not antisymmetric. 

5. If R is symmetric, then R is reflexive. 

6. If R is symmetric, then R is antireflexive. 


7. If Ris symmetric, then R is not antireflexive. 


Quantifiers 


Exercise: 


Problem: Let P(x) be the statement "has been to Prague", where the domain consists of your classmates. 


1. Express each of these quantifications in English. 


O O O O 00 0 0 
J 


2. Which of these mean the same thing? 
Exercise: 
Problem: 


Let C(x) be the statement "z has a cat", let D(a) be the statement "x has a dog", and let F(x) be the 
statement "æ has a ferret". Express each of these statements in first-order logic using these relations. Let the 
domain be your classmates. 

1. A classmate has a cat, a dog, and a ferret. 


2. All your classmates have a cat, a dog, or a ferret. 


3. At least one of your classmates has a cat and a ferret, but not a dog. 


4. None of your classmates has a cat, a dog, and a ferret. 
5. For each of the three animals, there is a classmate of yours that has one. 
Exercise: 
Problem: 


Determine the truth value of each of these statements if the domain is all real numbers. Where appropriate, 
give a witness. 


Tales (a? = 2) 

2. Aa ¢ = —1) 
3. Va: (£? +2 > 1) 
4. Vz : (x? £ x) 


Interpreting First-order Formulas 


Exercise: 


Problem: 


Let P(x), Q(x), R(x), and S(x) be the statements "x is a duck", "x is one of my poultry", "æ is an officer", 
and "z is willing to waltz", respectively. Express each of these statements using quantifiers, logical 
connectives, and the relations P(x), Q(x), R(x), and S(x). 


1. No ducks are willing to waltz. 
2. No officers ever decline to waltz. 
3. All my poultry are ducks. 


4. My poultry are not officers. 


Does the fourth item follow from the first three taken together? Argue informally; you don't need to use 
5. the algebra or inference rules for first-order logic here. 


Exercise: 


Problem: 


You come home one evening to find your roommate exuberant because they have managed to prove that there 
is an even prime number bigger than two. More precisely, they have a correct proof of 

dy: (P(y) A (y > 2) = E(y)), for the domain of natural numbers, with P interpreted as "is prime?" and 
E interpreted as "is even?". While they are celebrating their imminent fame at this amazing mathematical 
discovery, you ponder... 


..-and realize the formula is indeed true for that interpretation. Briefly explain why. You don't need to 
give a formal proof using Boolean algebra or inference rules; just give a particular value for y and 
1. explain why it satisfies the body of " 3y : (y) ". 


Is the formula still true when restricted to the domain of natural numbers two or less? Briefly explain 
2. why or why not. 


3. Is the formula still true when restricted to the empty domain? Briefly explain why or why not. 


4. Give a formula that correctly captures the notion " there is an even prime number bigger than 2 ". 


Exercise: 


Problem: 


For the sentence Va : (Vy: (A(x) A B(x, y) = A(y))) state whether it is true or false, relative to the 
following interpretations. If false, give values for x and y witnessing that. 


1. The domain of the natural numbers, where A is interpreted as "even?", and B is interpreted as "equals" 

2. The domain of the natural numbers, where A is interpreted as "even?", and B is interpreted as "is an 
integer divisor of" 

3. The domain of the natural numbers, where A is interpreted as "even?", and B is interpreted as "is an 
integer multiple of" 

4. The domain of the Booleans, {true, false}, where A is interpreted as "false?", and B is interpreted as 
"equals" 

5. The domain of WaterWorld locations in the particular board where locations Y and Z contain pirates, but 
all other locations are safe, the relation symbol A is interpreted as "unsafe?", and B is interpreted as 
"neighbors" 

6. All WaterWorld boards, where A is interpreted as "safe?", and B is interpreted as "neighbors". (That is, 
is the formula valid for WaterWorld?) 


Exercise: 


Problem: 


Translate the following conversational English statements into first-order logic, using the suggested 
predicates, or inventing appropriately-named ones if none provided. (You may also freely use = which we'll 
choose to always interpret as the standard equality relation.) 


1. "All books rare and used". This is claimed by a local bookstore; what is the intended domain? Do you 
believe they mean to claim "all books rare or used"? 

2." Everybody who knows that UFOs have kidnapped people knows that Agent Mulder has been 
kidnapped. " (Is this true, presuming that no UFOs have actually visited Earth. ..yet?) 


Exercise: 


Problem: 


Write a formula for each of the following. Use the two binary relations isFor and isAgainst and domain of 
all people. 


e "All for one, and one for all!" We'll take "one" to mean "one particular person", and moreover, that both 
"one's are referring the same particular person, resulting in "There is one whom everybody is for, and 
that one person is for everybody." [footnote] 

Dumas' original musketeers presumably meant something different: that each one of them was for each 
(other) one of the them, making the vice-versa clause redundant. But this is boring for our situation, so 
we'll leave that interpretation to Athos, Porthos, and Aramis alone.) 

e "If you're not for us, you're against us." In aphorisms, "you" is meant to be an arbitrary person; consider 
using the word "one" instead. Furthermore, we'll interpret "us" as applying to everybody. That is, " One 
always believes that “if one is not for me, then one is against me' ". 

e "The enemy of your enemy is your friend." By "your enemy" we mean "somebody you are against", and 
similarly, "your friend" will mean "somebody you are for". (Be carefule! This may be different than 
"somebody who is against/for you"). 

e "Somebody has an enemy." (We don't know of an aphorism expressing this. [footnote]) 


None of the following quite capture it: "Life's not a bed of roses"; "It's a dog-eat-dog world"; "Everyone 
for themselves"; "You can't please all the people all the time". 


Two interpretations are considered fundamentally the same (or isomorphic) if you can map one interpretation to 
the other simply by a consistent renaming of domain elements. 
Exercise: 


Problem:| Practice problem—solution provided. ] 


Find two fundamentally different interpretations that satisfy the statement "There exists one person who is 
liked by two people". 


Solution: 


One interpretation that satisfies this is a domain of three people Alice, Bob, Charlie, with the likes relation: 
{(Alice, Bob), (Bob, Bob) }. Bob is liked by two people, so it satisfies the statement. 


Here's another interpretation that is the same except for renaming, and thus not fundamentally different: a 
domain of three people Alyssa, Bobby, Chuck, with the likes relation: {(Chuck, Alyssa), (Alyssa, Alyssa) } 
. With the substitutions [Chuck+> Alice] and [Alyssa+Bob], we see that the underlying structure is the same 
as before. 


Here's an interpretation that is fundamentally different: a domain of three people Alice, Bob, Charlie, with the 
likes relation: {(Charlie, Bob), (Alice, Bob) }. No matter how you rename, you don't get somebody liking 
themself, so you can see its underlying structure is truly different than the preceding interpretations. 


English is fuzzy enough that it is unclear whether "one" and "two" are meant as exact counts. The above two 
examples each assumed they are. 


Note: If we change the statement slightly to add a comma: " There exists one person, who is liked by two 
people ", we arguably change the meaning significantly. The now-independent first clause arguably means 
there is only one person existent in total, so the overall statement must be false! There's a quick lesson in the 
difference between English dependent and independent clauses. 


Exercise: 
Problem: 


For the four "Musketeer" formulas from a previous exercise, find three fundamentally different interpretations 
of isFor which satisfy all the formulas on a domain of three people. 


Depict each of these interpretations as a graph. Draw three circles (nodes) representing the three people, and 
an arrow (edge) from a person to each person they like. (You can glance at Rosen Section 9.1, Figure 8 for an 
example.) 


Note: One of the interpretations is unintuitive in that isFor and isAgainst don't correspond to what we 
probably mean in English. 


Exercise: 


Problem: 


Translate the following statements into first-order logic. The domain is the set of natural numbers, and the 
binary relation kth (k, n) indicates whether or not the kth number of the sequence is n. For example, the 
sequence (5, 7, 5), is represented by the relation kth = {(0, 5), (1, 7), (2,5)}. You can also use the binary 
relations =, <, and <, but no others. 


You may assume that kth models a sequence. No index k is occurs multiple times, thus excluding 

kth = {(0, 5), (1,7), (0, 9)}. Thus, kth is a function, as in a previous example representing an atray_as a 
function. Also, no higher index k occurs without all lower-numbered indices being present, thus excluding 
kth = {(0, 5), (1, 7), (3, 9)}. 


1. The sequence is finite. 
2. The sequence contains at least three distinct numbers , e.g., (5, 6, 5, 6, 7, 8), but not (5, 6, 5, 6). 


3. The sequence is sorted in non-decreasing order, e.g., (3, 5,5, 6, 8, 10, 10, 12). 
4. The sequence is sorted in non-decreasing order, except for exactly one out-of-order element, e.g., 
(20, 30, 4, 50, 60). 


Exercise: 
Problem: 


Some binary relations can be viewed as the encoding of a unary function, where the first element of the 
ordered pair represents the function's value. For instance, in a previous exercise we encoded the binary 
function addition as a ternary relation addsTo. 


1. Give one example of a binary relation which does not correspond to the encoding of a function. 


Write a first-order formula describing the properties that a binary relation R must have to correspond to 
2. a unary function. 


Exercise: 
Problem: 


Alternation of quantifiers: Determine the truth of each of the following sentences in each of the indicated 
domains. 


Note: To help yourself, you might want to develop an English version of what the logic sentences say. Start 
with the inner formula (talking about people z,y,z), then add the quantifier for z to get a statement about 
people x,y, and repeat for the other two quantifiers. 


Four sentences: 


1. Var (Vy : (dz: (likes (x,y) A ((z 4 y) = —likes (y, z))))) 

da: (Vy: (Vz: (likes (x,y) A ((z 4 y) > —likes (y, z))))) 
3. da (Sy : (Vz: (likes (x,y) A ((z Æ y) > ~ likes (y, z))))) 
4. Yz : (dy: (Vz: (likes (z, y) A ((z 4 y) > ~ likes (y, z))))) 


Four domains: 


1. The empty domain. 

2. A world with one person, who likes herself. 

3. A world with Yorick and Zelda, where Yorick likes Zelda, Zelda likes herself, and that's all. 

4. A world with many people, including CJ (Catherine Zeta-Jones), JC (John Cusack), and JR (Julia 
Roberts). Everybody likes themselves; everybody likes JC; everybody likes CJ except JR; everybody 
likes JR except CJ and IB. Any others may or may not like each other, as you choose, subject to the 
preceding. (You may wish to sketch a graph of this likes relation, similar to Rosen Section 9.1 Figure 8.) 


Determine the truth of all sixteen combinations of the four statements and four domains. 


Modeling 


Exercise: 


Problem: 


Translate the following into first-order logic: " Raspberry sherbet with hot fudge (rshf) is the tastiest dessert. 
" Use tastier as your only relation. 


What is the intended domain for your formula? What is a relation which makes this statement true? One 
which makes it false? 


Exercise: 


Problem: 


Even allowing for ellision, the list of WaterWorld domain axioms is incomplete, in a sense. The game reports 
how many pirates exist in total, but that global information is not reflected in the propositions or axioms. We 
had the same problem with the propositional logic domain axioms 


1. First, assume we only use the default WaterWorld board size and number of pirates, i.e., five. What 
additional axiom or axioms do we need? 

2. Next, generalize your answer to model the program's ability to play the game with a different number of 
pirates. What problem do you encounter? 


Exercise: 


Problem: 


The puzzle game of Sudoku is played on a 9 x 9 grid, where each square holds a number between 1 and 9. 
The positions of the numbers must obey constraints. Each row and each column has each of the 9 numbers. 
Each of the 9 non-overlapping 3 x 3 square sub-grids has each of the 9 numbers. 


Like WaterWorld, throughout the game, some of the values have not been discovered, although they are 
determined. You start with some numbers revealed, enough to guarantee that the rest of the board is uniquely 
determined by the constraints. Thus, like in WaterWorld, when deducing the value of another location, what 
has been revealed so far would serve as premises in a proof. 


Fortunately, there are the same number of rows, columns, subgrids, and values. So, our domain is 
{1, 2, 3, 4, 5, 6, 7, 8, 9}. 


To model the game, we will use the following relations: 


e value (r, c, v) indicates that at row r, column c is the value v. 
e v = wis the standard equality relation. 
e subgrid (g, r, c) indicates that subgrid g includes the location at row r, column c. 


Provide domain axioms for Sudoku, and briefly explain them. These will model the row, column, and subgrid 
constraints. In addition, you should include constraints on our above relations, such as that each location 
holds one value. 


Reasoning with Equivalences 


Exercise: 


Problem: 


Some of the first-order equivalences are redundant. For each of the following, prove the equivalence using the 
other equivalences. 


1. Vz : ($ => 0) =42:(¢)>0 


2. Assuming a non-empty domain, Jz : (0 > ¢) = 0 > Az: (¢). 


Exercise: 
Problem: 
We can characterize a prime number as a number n satisfying Vq : (Vr: ((qr = n) > (q= 1) v (r = 1))) 


. Using the equivalences for first-order logic, show step-by-step that this is equivalent to the formula 
dq: (Ar : ((qr =n) A (q#1) A (r £ 1))). Do not use any arithmetic equivalences. 


Exercise: 


— 


Problem: 


A student claims that Vz : (A(z) A B(x) > C(z)) =Va:(A(a)) A Va: (B(x)) > C(z) by the 
"distribution of quantifiers". This is actually trying to do two steps at once. Rewrite this as the two separate 
intended steps, determine which is wrong, and describe why that step is wrong. 


Exercise: 


Problem: 


Simplify the formula Vz : (Vy: (dz: (A(x) A B(y) = C(z)))), so that the body of each quantifier 
contains only a single atomic formula involving that quantified variable. Provide reasoning for each step of 
your simplification. 


Reasoning with Inference Rules 


Exercise: 


Problem:[Practice problem—solution provided. ] 
Prove that syllogisms are valid inferences. In other words, show that Vx : (R(a) = S(x)),R(c) F S(c). 


Solution: 


1 Va: (R(x) > S(a)) Premise 


2 R(c) Premise 


3 R(c) > S(c) VElim, line 1 
4 X(c) =>Elim, lines 2,3 
Exercise: 


Problem: What is wrong with the following "proof" of da : (E(x)) = E(c)? 


1 subproof:Ja : (E(x)) + E(c) 
la da : (E(x)) Premise for subproof 
1.b E(c) Elim, line 1.a 
2 da : (E(x)) > E(c) =Intro, line 1 
Exercise: 
Problem: 


Using the inference rules, formally prove the last part of the previous problem about ducks and such. 


Exercise: 


Problem: 


Give an inference rule proof of 
Vz : (Fruit (x) > hasMethod (tasty, z)),Vy : (Apple (y) > Fruit (y)) F Vz: (Apple (z) > hasMethod (t 


Exercise: 


Problem: 


1. Prove the following: 3x : (P(x)),Vy: (P(y) > Q(y)) F dz: (Q(z)) 

2. Your proof above used AIntro. Why can't we replace that step with the formula Vz : (Q(z)) with the 
justification "VIntro"? 

3. Describe an interpretation which satisfies the proof's premises, but does not satisfy Vz : (Q(z)). 


Logic: Looking Back 
A recap of where we've been, and why we traveled there. 


Why didn't we begin with quantifiers all along? 
We saw three stages of logics: 


e Propositional logic, with formulas like 
DickLikesJane = ~ JaneLikesDick. While the propositions are 
named suggestively, nothing in the logic enforces a relation among 
these; it is equivalent to A > ~B. 

e Predicate logic, where variables (and constants) can express a 
connection between different parts of the formula: 
likes (y, x) = ~ likes (a, y) Predicate logic introduced the idea of 
variables, and required domains and interpretations to determine truth. 
But it can't bind variables, and thus requires an interpretation of x and 
y to evaluate. 

e First-order logic, which included two quantifiers to bind variables: 
Vy : (da : (likes (y, x) = — likes (a, y))) 


So why, you might ask, didn't we just start out with first-order logic in the 
first lecture? One reason, clearly, is to introduce concepts one at a time: 
everything you needed to know about one level was needed in the next, and 
then some. But there's more: by restricting our formalisms, we can't express 
all the concepts of the bigger formalism, but we can have automated ways 
of checking statements or finding proofs. 


In general, this is a common theme in the theory of any subject: 
determining when and where you can (or, need to) trade off expressibility 
for predictive value. For example, ... 


e Linguistics: Having a set of precise rules for (say) Tagalog grammar 
allows you to determine what is and isn't a valid sentence; details of 
the formal grammar can reveal relations to other languages which 
aren't otherwise so apparent. On the other hand, a grammar for any 
natural language is unlikely to exactly capture all things which native 


speakers say and understand. If working with a formal grammar, one 
needs to know what is being lost and what is being gained. 


o Dismissing a grammar as irrelevant because it doesn't entirely 
reflect usage is missing the point of the grammar; 

o Conversely, condemning some real-life utterances as 
ungrammatical (and ignoring them) forgets that the grammar is a 
model which captures many (if not all) important properties. 


Of course, any reasonable debate on this topic respects these two poles 
and is actually about where the best trade-off between them lies. 

e Psychology: Say, Piaget might propose four stages of learning in 
children. It may not trade off total accuracy, for (say) clues of what to 
look for in brain development. 

e Physics: Modern pedagogy must trade off quantum accuracy for 
Newtonian approximations. Researchers exploring fields like particle 
physics must trade off exact simulations for statistical ("stochastic") 
approximations. 


Understanding the theoretical foundations of a field is often critical for 
knowing how to apply various techniques in practice. 


Logic and everyday reasoning 


We've looked at the impreciseness and ambiguity of natural language 
statements, but these are not the only problems hidden in natural language 
arguments. The following illustrates a common form of hidden assumption: 
saying "the tenth reindeer of Santa Claus is ..." implies the existence some 
tenth reindeer. More subtly, humans use much more information than what 
is spoken in a conversation. Even aside from body language, consider a 
friend asking you "Hey, are you hungry?" While as a formal statement this 
doesn't have any information, in real life it highly suggests that your friend 
is hungry. 


A much more blatant form of missing information is when the speaker 
simply chooses to omit it. When arguing for a cause it is standard practice 


to simply describe its advantages, without any of its disadvantages or 
alternatives. 


Note: Economists measure things not in cost, but opportunity cost, the 
price of something minus the benefits of what you'd get using the price for 
something else. E.g., for $117 million the university can build a new 
research center. But what else could you do on campus with $117m? 


Historically, logic and rhetoric, the art of persuasion through language, are 
closely linked. 


Other logics 
You've now been introduced to two logics: propositional and first-order. 


But, the story does not have to end here. There are many other logics, each 
with their uses. 


Limitations of first-order logic's expressiveness 
We can make first-order sentences to express concepts as " vertices a and b 


are connected by a path of length 2 ", as well as '"...by a path of length 3", " 
length < 4", etc. 


Note: Write a couple of these sentences! 


But trying to write " vertices a and b are connected [by a path of any length] 
" isn't obvious ... in fact, it can be proven that no first-order sentence can 


express this property! Nor can it express the closely-related property "the 
graph is connected" (without reference to two named vertices a and b). 


Hmm, what about second-order logic? It has a bigger name; whatever it 
means, perhaps it can express more properties? 


What exactly is second-order logic? In first-order logic, quantifiers range 
over elements of the domain: " there exist numbers z and y, ... ". In 
second-order logic, you can additionally quantify over sets of elements of 
the domain: " there is a set of numbers, such that... ". 


Example: 

For instance, " for all vertices x and y, there exists a set of vertices (call the 
set 'Red'), the red vertices include a path from z to y ". More precisely, " 
every Red vertex has exactly two Red neighbors, or it is x or y (which each 
have exactly 1 red neighbor) ". Is this sentence true exactly when the graph 
is connected? Why does this description of "red vertices" not quite 
correspond to " just the vertices on a path from x to y "? 


An interesting phenomenon: There are some relations between how difficult 
it is to write down a property, and how difficult to compute it! How might 
you try to formalize the statement "there is a winning strategy for chess"? 


A shortcoming of first-order logic is that it is impossible to express the 
concept "path". (This can be proven, though we won't do so here.) 


Thus, some other logics used to formalize certain systems include: 


e As mentioned, second-order logic is like first-order logic, but it also 
allows quantification over entire relations. Thus, you can make 
formulas that state things like " For all relations R, if R is symmetric 
and transitive, then ... ". While less common, we could continue with 
third-order, fourth-order, etc. 


e Temporal logic is based on quantification over time. This is useful to 
describe how a program's state changes over time. In particular, it is 
used for describing concurrent program specifications and 
communication protocols, sequences of communications steps used in 
security or networking. See, for example, TeachLogic's Model- 
Checking module. 

e Linear logic is a "resource-aware" logic. Every premise must be used, 
but it may be used only once. This models, for example, how keyboard 
input is usually handled: reading an input also removes it from the 
input stream, so that it can't be read again. 


Logic in computer science 
Logics provide us with a formal language useful for 


e specifying properties unambiguously, 

e proving that programs and systems do (or don't) have the claimed 
properties, and 

e gaining greater insight into other languages such as database queries. 


Programming language type systems are a great example of these first two 
points. The connectives allow us to talk about pairs and structures (x and y 
), unions (a or y), and functions (if you give the program a g, it produces a 
y). The "generics" in Java, C++, and C# are based upon universal 
quantification, while "wildcards" in Java are based upon existential 
quantification. One formalization of this strong link between logic and 
types is called the Curry-Howard isomorphism. 


Compilers have very specific logics built into them. In order to optimize 
your code, analyses check what properties your code has e.g., are variables 
b and c needed at the same time, or can they be stored in the same hardware 
register? 


More generally, it would be great to be able to verify that our hardware and 
software designs were correct. First, specifying what "correct" means 
requires providing the appropriate logical formulas. With hardware, 
automated verification is now part of the regular practice. However, it is so 


computationally expensive that it can only be done on pieces of a design, 
but not, say, a whole microprocessor. With software, we also frequently 
work with smaller pieces of code, proving individual functions or 
algorithms correct. However, there are two big inter-related problems. 
Many of the properties we'd like to prove about our software are 
"undecidable" — it is impossible to check the property accurately for every 
input. Also, specifying full correctness typically requires extensions to first- 
order logic, most of which are incomplete. [footnote] As we've seen, that 
means that we cannot prove everything we want. While proving hardware 
and software correct has its limitations, logic provides us with tools that are 
still quite useful. For an introduction to one approach used in verification, 
see TeachLogic's Model-Checking module. 

Even something as simple as first-order logic using the integers as our 
domain and addition and multiplication as relations is undecidable. Kurt 
Gödel, 1931 


Acknowledgements 


The TeachLogic Project is the work of many contributors, and was made 
possible through an NSF CISE grant. Major contributors and grant Principle 
Investigators are 


e Moshe Vardi, Rice University 

e Matthias Felleisen, Northeastern University 

e Jan Barland, Rice University 

e Phokion Kolaitis, University of California at Santa Cruz 
e John Greiner, Rice University 


In addition, Paul Steckler implemented the Base module's Waterworld 
game. 


Students who helped contribute to various TeachLogic modules include 
(chronologically) 


e Peggy Fidelman 

e Justin Garcia 

e Brian Cohen 

e Sarah Trowbridge 
e Bryan Cash 

e Fuching “Jack” Chi 
e Ben McMahan 


TeachLogic has also been influenced by the Beseme project, headed by Rex 
Page of Oklahoma University; in particular the Base module owes both 
some overall structure and specific details to Beseme. 


Janice Bordeaux, from the Engineering Dean's office at Rice University, 
assisted with developing classroom assessment tools. 


Reference: propositional equivalences 


The following lists some propositional formula equivalences. Remember that we use the symbol = as a relation 
between two WFFs, not as a connective inside a WFF. In these, y, w, and @ are meta-variables standing for any 
WFF. 


Double = 

Complementation aa 

Complement y V my = true y A 7y = false 

Identity y V false = p A true = g 

Dominance y V true = true ^ false = false 

Idempotency yV p= pA p= 

Absorption y Alev b=¢ pVepANp=py 

Redundancy pA (wv v=eany pV-apnp=eVvy 
DeMorgans (9 AW) =p V ~le V Wy A 
Associativity TENE COEN E CEN AO pVv(wevbd=(e Vy) Vv O 
Commutativity pAvp=ava ypVvp=eyvVe¢ 

Distributivity pn WVAN=ePAYV EAD pVbAN b= Va) AY V 9) 


Propositional Logic Equivalences 


Equivalences for implication are omitted above for brevity and for tradition. They can be derived, using the 
definition a > b = ~a V b. 


Example: 
For example, using Identity and Commutativity, we have 
true => b=-—true V b = false V b= b V false = b. 


Reference: propositional inference rules 


Abbreviation 


Intro 


AElim 


V Intro 


Name 


and- 
introduction 


and- 
elimination 
(left) 


and- 
elimination 


(right) 


or- 
introduction 
(left) 


or- 
introduction 


(right) 


If you know 
all of... 


...then you can infer 


Abbreviation 


VElim 


=> Intro 


=>Elim 


falseIntro 


Name 


or- 
elimination 


if- 
introduction 


if- 
elimination 
(modus 
ponens) 


false- 
introduction 


If you know 
all of... 


pre 
wre 


pV 


p,p.. GOF w 


P 


.. then you can infer 


PAPA... A0 Sw 


false 


Abbreviation 


falseElim 


RAA 


—Intro 


=Elim 


CaseElim 


Name 


false- 
elimination 


reductio ad 
absurdum 
(v. 1) 


reductio ad 
absurdum 
(v. 2) 


negation- 
introduction 


negation- 
elimination 


case- 
elimination 
(left) 


case- 
elimination 


(right) 


If you know 


all of... ...then you can infer 
false p 
~g F false p 
ọ F false ay 
p TAP 
Y 
pyy 
Y 
p 
pyy 


Uur propositional interence rules 
As usual, y, p, 6, w are meta-variables standing for any WFF. 


This is by no means the only possible inference system for propositional logic. 


Note: This set of inference rules is based upon Discrete Mathematics with a Computer 
by Hall and O'Donnell (Springer, 2000) and The Beseme Project. 


first-order equivalences 
Some equivalences for manipulation of first-order formulas. 


The following equivalences are in addition to those of propositional logic. In these, y and w each stand for any 
WFF, but 6 stands for any WFF with no free occurrences of x . 


Equivalence V Variant J Variant 


Complementation 


of Quantifiers z : (sp) = -Vz : (¢) 


Va: (~y) = 7dr : (9) 


Quantifies © | Ye (Wy: (p)) = Yu: (We: (o) z : (3y : (y)) = 3y: Ge: (y) 
Yz: (p Ap) SVe:(p) A Yz: 3e:(¢ V y) =e: (p) V Ie: (4) 
Distribution of Vz: (y V 0) =Vae:(y) v8 Jz: (y A 0) =Aa:(y) AO 
Quantifiers ne ee ee 
Va: (0 = p) =0 = Vz : (¢) 
Distribution of Va: (y A 0) =Var:(y) A 0 Jz: (y V 0) =Aa:(¢) v8 
Sees se: (p 0) = Ve: (p) +8 
— Ae: (0 > p) = 0 > Ae: (p) 
Renaming ve: (p) =W: (yle wl) Je : (9) = Ww: (ple => y) 


Simplification of 

Quantifiers — g _ 
with non-empty RES 
domain 


U 
8 
~ 
D 
ir 
III 
D 


Simplification of 
Quantifiers — 
with empty 
domain 


Vz : (p) = true dz : (p) = false 


First-order Logic Equivalences 


When citing Distribution of Quantifiers, say what you're distributing over what: e.g., " distribute V over V (with 0 
being x-free) ". 


In renaming, the notation |x ++ y] means " p with each free occurrence of x replaced by y ". It is a meta- 
formula; when writing any particular formula you don't write any brackets, and instead just do the replacement. 


This set of equivalences isn't actually quite complete. For instance, 
da: (Vy: (R(a,y))) = Vy: (Ax : (R(x, y))) is equivalent to true, but we can't show it using only the rules 


above. It does become complete[footnote] if we add some analogs of the first-order inference rules, replacing į 
with = (and carrying along their baggage of "arbitrary" and "free-to-substitute-in"). 

It's not obvious when this system is complete; that's Gödel's completeness theorem, his 1929 Ph.D. thesis. Don't 
confuse it with his more celebrated Incompleteness Theorem, on the other hand, which talks about the ability to 
prove formulas which are true in all interpretations which include arithmetic (as opposed to all interpretations 
everywhere.) 


Reference: first-order inference rules 


The following are in addition to those of propositional logic. 


If you know all ...then you 
Abbreviation Name of... can infer 
VIntro a Vz.yly—>zr] 
introduction 
p 


y arbitrary. 


If you know all ...then you 
Abbreviation Name of... can infer 


Vr.p 


VElim oe t is any p|z>t] 
elimination term that is 


free to be 
replaced in 


p. 


Domain 
non-empty. 


Abbreviation 


Intro 


Name 


A 
introduction 


If you know all 
of... 


p 


t is any 
term in yp 
that is free 
to be 
replaced. 


Domain 
non-empty. 


...then you 
can infer 


dz.ypltog| 
, where t is 
arbitrary 


If you know all ...then you 
Abbreviation Name of... can infer 


dz. 


J- . 
Elim ae cis anew plac] 
elimination constant in 


the proof. 


c does not 
occur in 
the proof's 
conclusion. 


Our first-order inference rules 


As usual, we use ọ as a meta-variable to range over first-order WFFs. 
Similarly, t is a meta-variable for first-order terms, and c is a meta-variable 
for domain constants. The notation [vw] means the formula ọ but with 
every appropriate occurrence of v replaced by w. 


As discussed in the lecture notes, a variable is arbitrary unless: 


e A variable is not arbitrary if it is free in (an enclosing) premise. 
e A variable is not arbitrary if it is free after applying JElim — either as 
the introduced witness c, or free anywhere else in the formula. 


The usual way to introduce arbitrary variables is during VElim (w/o later 
using it in SElim). 


As a detail in VElim and JIntro, the term t must be free to replace the 
variable x in y. This means that it is not the case that both t contains a 
variable quantified in y, and that x occurs free within that quantifier. In 
short, the bound variable names should be kept distinct from the free 
variable names. Also, only free occurrences x get replaced. The restriction 
in JElim on c being new is similar. 


Reference: propositional WaterWorld 


We summarize the details of how we choose to model WaterWorld boards in propositional logic: exactly what 
propositions we make up, and the formal domain axioms which capture the game's rules. 


The board is fixed at 6x4, named A,...,Z (with I and O omitted). 
fe] WaterWorld 


New game} 
Pirates left: 5 Ratio: 45% 


A Sample WaterWorld board 


Propositions 
There are a myriad of propositions for WaterWorld, which can be grouped: 


e Whether or not a location contains a pirate: A-unsafe, B-unsafe, ..., Z-unsafe. 
e Whether or not a location contains no pirate: A-safe, B-safe, ..., Z-safe. 


Note: Yes, using the intended interpretation, these are redundant with the previous ones. Some domain 
axioms below will formalize this. 


e Propositions indicating the number of neighboring pirates, to a location: A-has-0, A-has-1, A-has-2, 
B-has-0, B-has-1, B-has-2, ..., H-has-0, H-has-1, H-has-2, H-has-3, ..., Z-has-0, Z-has-1. These are all 
true/false propositions; — there are no explicit numbers in the logic. A domain axiom below will assert that 
whenever (say) B-has-1 is true, then B-has-0 and B-has-2 are both false. 


Note: There is no proposition A-has-3 — since location A has only two neighbors. Similarly, there is no 
proposition B-has-3. We could have chosen to include those, but under the intended interpretation they'd 
always be false. 


These propositions describe the state of the underlying board — the model — and not our particular view of 
it. Our particular view will be reflected in which formulas we'll accept as premises. So we'll accept A-has-2 as a 
premise only when A has been exposed and shows a 2. 


The domain axioms 


Axioms asserting that the neighbor counts are correct: 


e Count of 0: 
o “A0”: A-has-0 => B-safe A G-safe 
: “H0”: H-has-0 > G-safe A J-safe A P-safe 
o “20”: Z-has-0 > Y-safe 


e Count of 1: 


o “A1”: A-has-1 => B-safe A G-unsafe V B-unsafe ^ G-safe 
o “H1”: 
H-has-1 => G-safe ^A J-safe ^A P-unsafe V G-safe ^A J-unsafe ^A P-safe V G-unsafe ^ J-sa 


o “Z1”: Z-has-1 => Y-unsafe 
e Count of 2: 


o “A?”: A-has-2 > B-unsafe ^A G-unsafe 
o eee 
o “H2”: 
H-has-2 = G-safe ^A J-unsafe ^A P-unsafe V G-unsafe ^A J-safe ^A P-unsafe V G-unsafe ^ 


o eee 


There aren't any such axioms for locations with only one neighbor. 
e Count of 3: 


o “H3”: H-has-3 => G-unsafe A J-unsafe ^A P-unsafe 


o eee 
There aren't any such axioms for locations with only one or two neighbors. 
Axioms asserting that the propositions for counting neighbors are consistent: 


A-has-0 V A-has-1 

A-has-0 = —A-has-1 

A-has-1 = —A-has-0 

B-has-0 V B-has-1 V B-has-2 
B-has-0 = —=B-has-1 ^A —B-has-2 
B-has-1 = —=B-has-0 ^A —B-has-2 
B-has-2 = —B-has-0 ^A —B-has-1 


H-has-0 V H-has-1 v H-has-2 v H-has-3 
H-has-0 = —H-has-1 A —H-has-2 A —H-has-3 


H-has-1 = —H-has-0 A —H-has-2 A —H-has-3 
H-has-2 = —H-has-0 A —H-has-1 ^A —H-has-3 
H-has-3 = —=H-has-0 ^A —H-has-1 ^A —H-has-2 


Axioms asserting that the safety propositions are consistent: 


e A-safe => —A-unsafe, 
e +A-safe => A-unsafe, 


° Z-safe => —Z-unsafe, 
e —~Z-safe > Z-unsafe. 


This set of axioms is not quite complete, as explored in an exercise. 


As mentioned, it is redundant to have both A-safe and A-unsafe as propositions. Furthermore, having both allows 
us to express inconsistent states (ones that would contradict the safety axioms). If implementing this in a program, 
you might use both as variables, but have a safety-check function to make sure that a given board representation is 
consistent. Even better, you could implement WaterWorld so that these propositions wouldn't be variables, but 
instead be calls to a lookup (accessor) functions. These would examine the same internal state, to eliminate the 
chance of inconsistent data. 


Using only true/false propositions; without recourse to numbers makes these domain axioms unwieldy. Later, we'll 
see how relations and quantifiers help us model the game of WaterWorld more concisely. 


Reference: first-order WaterWorld 


We summarize the details of how we choose to model WaterWorld boards in first-order logic: exactly what 
relations we make up, and the formal domain axioms which capture the game's rules. 


This will follow almost exactly the same pattern as our WaterWorld model in propositional logic. However, we 
will take advantage of the additional flexibility provided by first-order logic. 


Rather than modeling only the default 6x4 WaterWorld board;, we will be able to model any board representable 


by our relations. This will allow boards of any size and configuration, with one major constraint — each location 
can have at most three neighboring pirates. 


Domain and Relations 

Our domain is simply the set of all board locations. This set can be arbitrarily large — even infinite! 
The board configuration is given by the binary “neighbor” relation nhbr. 

The next relations correspond directly to the propositions in the propositional logic model. 


e Whether or not a location contains a pirate: safe. This is a unary relation. 


Note: We choose not to include a redundant relation unsafe. 


e Unary relations indicating the number of neighboring pirates: has0, has1, has2, and has3. 


Note: Thus, we have our restriction to three unsafe neighbors. This will also be reflected in our domain 
axioms below. See also this problem for a discussion of how to avoid this restriction. 


In addition, to have encode the domain axioms for an arbitrary domain, we also need an equality relation over our 
domain of locations. As is traditional, we will use infix notation for this relation, for example, x = y. Furthermore, 
we will allow ourselves to write z # y as shorthand for — (æ = y). Thus, we do not need a distinct inequality 
relation. 


Note that these relations describe the state of the underlying board — the model — and not our particular view of 
it. Our particular view will be reflected in which formulas we'll accept as premises. So we'll accept has2 (A) asa 
premise only when A has been exposed and shows a 2. 


The domain axioms 


Many of our axioms correspond directly, albeit much more succinctly, with those of the propositional model. In 
addition, we have axioms that specify that our neighbor and equality relations are self-consistent. 


Axioms asserting that the neighbor relation is anti-reflexive and symmetric: 


e Vx : (=nhbr (x, z)) 
e Va: (Vy: (nhbr (z, y) => nhbr (y, z))) 


Axioms asserting that “=” truly is an equality relation, i.e., it is reflexive, symmetric, and transitive. 


s Yz: (z=ġ) 
e Vz : (Yy : ((x = y) > (y = z))) 
vg: (Vy: (Vz: ((z =y) A (y =z) => (z= z)))) 


Axioms asserting that the neighbor counts are correct. Each of these is of the form “if location æ has n neighboring 
pirates, then there are n distinct unsafe neighbors of æ, and any other distinct neighbor z is safe.” We use the 
equality relation to specify the distinctness of each neighbor. 


e Va : (has0 (x) = Vy: (nhbr (z, y) = safe (y))) 
e Vz : (hasl (x) = da: (nhbr(z,a) A ~safe (a) A Vy: (nhbr(z,y) A (a 4 y) = safe (y)))) 


Va : (has2 (x) a: (4b: (nhbr(z,a) ^A nhbr(z,b) A (a#b) A -safe(a) A asafe(b) A Vy: (: 


Va : (has3 (x) a: (Sb: (dc: (nhbr(z,a) A nhbr(z,b) A nhbr (z,c) A (a #6) A (a¥c) A (l 


In addition, we want the implications to go the opposite way. Otherwise, each of has0, has1, has2, and has3 
could always be false, while still satisfying the above! For brevity, we elide the details in the following list: 


e Va: (Vy: (nhbr (a, y) => safe (y)) > has0 (z)) 
e Va: (... => hasl (z)) 
e Va: (... => has2(z)) 
e Va: (... => has3 (z)) 


Axioms asserting that the neighbor counts are consistent. While redundant, including axioms like the following 
can be convenient. 


e Va : (has0 (x) > 7( (x) V has2(x) V has3 («))) 
e Vz : (hasl (x) > ~ (has0 (x) V has2 (z) V has3(z))) 
e Va : (has2 (x) = ~ (has0 (x) V hasi (æ) V has3(æ))) 
e Vz : (has3 (x) = ~ (has0 (x) V hasi (æ) V has2(æ))) 


Note that this set of axioms is not quite complete, as explored in an exercise. 


Browser support 


Note:The information in this module is outdated. Please see my course for 
a table of contents. 


Note: This page meant to be viewed with a MathML-enabled browser. If 
you see (Wx. (P(x) > (Ay. (P(y) V @)))) as a nice version of (forall x . (P(x) 
-> (exists y . (P(y) v phi)))) you're doing okay; If you further see 4 | B as 
a nice version of (scriptA |- scriptB) you're set! If not, see our description 
of browser support . 


At Rice on the CSNet, use mozilla. Preferably, use version 1.1, as 
currently available on Solaris 8 machines. On frosty.cs, version 1.1 is the 
default. On other Solaris 8 machines, version 1.1 is not yet the default, but 
available via /opti/mozilla-1.1/sunos5/bin/mozilla. 


In general, to view TeachLogic web pages, you'll need a browser that 
supports the following features: 


sufficiently well. 

e MathML -- Some browsers support MathML sufficiently well. 
However, most (all?) do not fully support Unicode Plane 1 numerical 
entity references, which includes most mathematical alphanumeric 
characters. 

e Math-oriented fonts 


Which browsers support these features? The above links provide more 
details, but here's a summary of some browsers. 


e Mozilla and Netscape (version 7.0) -- Both work, except some 
characters (Unicode Plane 1) don't appear correctly. 


e Internet Explorer is not yet an option, even with the MathPlayer plug- 
in to view MathML. IE won't display pages with some characters 
(Unicode Plane 1). 


Alternatively, PDF versions of the web pages are also provided via the Base 
module's index . 


